Preventing brute force attacks on SSH
Security is an important thing, and here it is not subject to discussion. Take care of the safety of their machines and therefore their data on both home computers and servers. The latter may be more vulnerable to various attacks, server network is always connected to the network, and may contain other information of interest to.
It is also an excellent tool for carrying out further attacks on other servers and computers, therefore, become a tasty morsel for someone.
DenyHosts is a tool used for intrusion prevention servers. It detects brute force attacks, monitor invalid login attempts, writes to the event log and blocks the IP from which the attack was carried out.
Installing Debian / Ubuntu
1 | sudo apt-get install denyhosts |
Configuration
After installation, the daemon automatically starts and is already pre-configured. It works and does the job, But it must be adapted to your needs. The configuration file is located in /etc/denyhosts.conf and need to edit it:
1 | nano /etc/denyhosts.conf |
important settings:
Section PURGE_DENY, in the set time after which the blocked IP is to be removed from the blacklist. The default is set:
1 | PURGE_DENY = |
Which means, that IP is blocked permanently and are not removed from the blacklist. I think, that you should just leave.
BLOCK_SERVICE, We set here whether the IP will be blocked only for SSH or for all services. The default is to block only SSH, so you want to replace:
1 | BLOCK_SERVICE = sshd |
belongs
1 | BLOCK_SERVICE = ALL |
DENY_THRESHOLD_INVALID, Here we set after how many successful attempts to not log IP to be banned. The default is 5 unsuccessful attempts:
1 | DENY_THRESHOLD_INVALID = 5 |
DENY_THRESHOLD_VALID, This option is also responsible for setting the amount of failed logins after which the IP will be banned, with the exception that applies to the accounts that exist in the / etc / passwd. The default is 10 attempts:
1 | DENY_THRESHOLD_VALID = 10 |
DENY_THRESHOLD_ROOT set in this section can be set, whether they be immediately blocked attempts to log on as root. If someone wants to log on as root, his IP will be banned. The default is enabled:
1 | DENY_THRESHOLD_ROOT = 1 |
DENY_THRESHOLD_RESTRICTED If enabled IP blocking the sign-in attempt with the login file of said restricted-usernames. enabled by default:
1 | DENY_THRESHOLD_RESTRICTED = 1 |
SYNC_SERVER very interesting option, when it is turned DenyHosts will charge a base of blocked IP from the server (remember botnets are not sleeping 😛 heise-online.pl) By default, this option is disabled, However, should enable it, just uncomment:
1 | #SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 |
SYNC_INTERVAL this option is responsible for the frequency synchronization database of blocked IP (only useful for inclusion SYNC_SERVER). uncomment:
1 | #SYNC_INTERVAL = 1h |
SYNC_UPLOAD this option allows you to send to the server our database of blocked IP. You can enable this by uncommenting:
1 | #SYNC_UPLOAD = yes |
SYNC_DOWNLOAD setting permits to get the list of banned IP, you must enable it by uncommenting:
1 | #SYNC_DOWNLOAD = yes |
It also set up sections ADMIN_EMAIL, SMTP_HOST, SMTP_USERNAME i SMTP_PASSWORD
