Re: denyhosts + tcp wrappers?
On 11/07/2007 04:44, Bob Proulx wrote:
If you are finding 'denyhosts' difficult then you may want to install
'fail2ban' as one standalone method to stop this since it is extremely
simple. It should work out of the box.
Denyhosts did work out of the box.
My understanding of how denyhosts works is that it is scheduled to parse
auth.log file every X seconds, identifing failed login attempts, it then
tallies those attempts, if the total of failed login attempts is above Y
write the source IP to /etc/hosts.deny. The (very minor) hole here is
that say denyhosts runs every 30 seconds, script-happy-john has a window
of 30 seconds to guess user name & password pairs.
The purpose of the "howto" in the blog was to change the operation of
denyhosts so rather than denyhosts being scheduled to parse auth.log
every X seconds, denyhosts would be initiated every by every ssh login
attempt. Now script-happy-john only gets his first 3 attempts for free.
I will give fail2ban a go, after I'm finished testing with denyhosts.
I've read this blog:
http://tdot.blog-city.com/securing_ssh_with_denyhosts.htm but there are
differences in the files/paths used on debian and what the blog-author
uses. I've plugged along but I'm not sure if I have denyhosts
configured right.
I don't see any file path problems. Did you install the Debian
version? I would assume that the Debian package maintainer took care
of getting all of the paths correct.
There are minor differences in the blog, maybe they were typos by the
author? IIRC there are also differences in the files paths referenced
in the man pages and the files available in the debian install, I will
confirm that when I'm on this particular machine again.
I downloaded denyhosts using apt; I've never changed the default apt
sources since installing debian a couple of weeks ago.
The thing is, if I attempt to login via SSH using a bad
username/password 3 times, there's a delay of approx 5-10 seconds before
my IP address shows up in /etc/hosts.blocked.
Then it appears to be working.
It's this delay of 5-10 seconds that makes it possible for me to attempt
more logins.
On averate half of that time would be waited before detection.
The alternative to this delay would be FAM and I am not sure it is
worth adding that as a dependency.
Never heard of "FAM" (linux beginner); I'll go check it out.
Also, if I change /etc/hosts.deny with the intention of blocking access
to ALL services to IPs listed in /etc/hosts.blocked, denyhosts stops
working as above. Here's what I changed /etc/hosts.deny to:
/etc/hosts.deny
ALL:/etc/hosts.blocked
sshd:ALL:spawn /usr/sbin/denyhosts --purge -c /etc/denyhosts.conf:allow
I would avoid mixing simple and extended syntax in the same file. I
would simply use the extended syntax and put everything in the
/etc/hosts.allow file. Not sure this is the problem but I think it
would be a better practice anyway. Also, dynamically updated files
are better placed in /var/run rather than in /etc. Here is a
suggested improvement. UNTESTED!
ALL:/var/run/denyhosts/hosts.blocked:DENY
sshd:ALL:spawn /usr/sbin/denyhosts --purge -c /etc/denyhosts.conf:ALLOW
I'll take this onboard and try again using these settings.
Thank you Bob.
Reply to: