How to prevent SSH brute force attacks using DenyHosts

If you've ever looked through the system logs of your Linux system you might be surprised to see hundreds of failed login attempts by hackers. These automated attacked are known as brute force or dictionary attacks. Usually carried out by large botnets these attacks are an attempt to break into your system by guessing hundreds and sometimes thousands of passwords.

DenyHosts is a script that was created by Phil Schwartz to help system administrators detect these hack attempts and prevent future attacks. The script works by analyzing your system logs on a regular interval to look for failed login attempts. If multiple failed attempts are detected the source IP address of the attacker is added to /etc/hosts.deny preventing any future attempts. DenyHosts can be configured to send email notifications of blocked systems if you choose.

How to Install DenyHosts

First you'll need to download the DenyHosts package. You can download the package as either a tarball or rpm. For the purposes of this guide we'll use the tarball (tar.gz file). The current version of DenyHosts is 2.6. The installation procedure below should be performed as root.

After you've downloaded the tarball you'll need to extract the contents.

tar zxvf DenyHosts-2.6.tar.gz

Next enter the directory that was extracted.

cd DenyHosts-2.6

Then run the python installation script.

python setup.py install

By default the installer will create the directory /usr/share/denyhosts. Inside this directory will be a sample configuration file and daemon control script. FIrst you'll need to make a copy of the sample config file and then edit it. You can use vi , or a text editor of your choice.

cp denyhosts.cfg-dist denyhosts.cfg

vi denyhosts.cfg

The config file is very well commented and should be self explanatory.

In order to make denyhosts run as a daemon you'll need to create a copy of the sample daemon control file and edit it as needed. For many systems the default options in the control file will work just fine.

cp daemon-control-dist daemon-control

vi daemon-control

Set the proper owner and permissions on the daemon-control file.

chown root daemon-control

chmod 700 daemon-control

To set DenyHosts to start automatically on boot create a symbolic link to the daemon control file using the commands below.

cd /etc/init.d

ln -s /usr/share/denyhosts/daemon-control denyhosts

Completion

Now your ready to start the DenyHosts daemon.

/etc/init.d/denyhosts start

To confirm that DenyHosts is running check the log file for output.

cat /var/log/denyhosts

If you've configured email alerts in the configuration file you'll receive a notice every time a new attacker is banned.

Now you can sit back and relax knowing that you've just made your system much more secure.

DenyHosts allows users to further extend the usefulness of the program by using plugins. By modifying the configuration file DenyHosts can execute a plugin when a host is added or removed from the deny list.

One of the most useful plugins is report-hack-isp. This plugin can automatically notify the ISP that owns IP address where the hack attempt originated.  This allows the ISP to take action against the offender and resolve the root problem.  Since I have been using this plugin I have received many responses back from ISP's sometimes to say thanks, or let me know that they have taken some action.