HOWTO Setup Deny Hosts: Difference between revisions
Line 78: | Line 78: | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''tail -f /var/log/denyhosts''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''tail -f /var/log/denyhosts''' | ||
Also - given the above settings, it takes one hour (1h) after starting the denyhost daemon before a sync to the denyhost-server is attempted. | Also - given the above settings, it takes one hour (1h) after starting the denyhost daemon before a sync to the denyhost-server is attempted. | ||
<br> | |||
And - if you're trying crazy-strict '''outgoing''' firewall rules, you may need to open to xmlrpc.denyhosts.net:9911. | And - if you're trying crazy-strict '''outgoing''' firewall rules, you may need to open to xmlrpc.denyhosts.net:9911. |
Revision as of 21:09, 16 November 2012
Purpose
Fail2ban, working in combination with iptables, is our favoured method of controlling crack-attempts. Fail2ban is reactionary though (responding as/after attacks occur), and is best-used only on a real server. Denyhosts makes use of a collaborative, on-line list of attackers, and can therefore be very pro-active in blocking crack-attempts. So, we're testing defence-in-depth by applying both fail2ban and denyhosts on some machines. In addition, our virtual servers (Gentoo Linux Vserver guests) cannot directly address hardware, do not run iptables, and cannot use fail2ban - Denyhosts is a great security addition to a Vserver-guest.
Setup
- If ssh is not compiled tcpd you will need to edit make.conf and recompile.
hostname ~ # emerge -pv net-misc/openssh [ebuild R ] net-misc/openssh-x.x USE="tcpd"
- There will be more USE flags listed in addition to tcpd but it is the only necessary flag for this setup.
hostname ~ # emerge -v denyhosts [ebuild N ] app-admin/denyhosts-x.x
Manually create a missing file:
hostname ~ # touch /var/lib/denyhosts/sync-timestamp
- Denyhosts can be run as a cron job, but we run it as as service:
hostname ~ # rc-update add denyhosts default
Configure
- There are several values to change in denyhosts.conf. Refer to the comments in this file for more information.
hostname ~ # emacs -nw /etc/denyhosts.conf PURGE_DENY =2h PURGE_THRESHOLD = 3 BLOCK_SERVICE = ALL REM out BLOCK_SERVICE = sshd DENY_THRESHOLD_ROOT = 4 SYSLOG_REPORT=YES SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 SYNC_INTERVAL = 1h SYNC_UPLOAD = yes SYNC_DOWNLOAD = yes SYNC_DOWNLOAD_THRESHOLD = 3
Problems arise when friendly folks attempt to access services and fail. This is especially harsh when an automated tool attempts to re-access a service repeatedly with the failing credentials, and before the user can even react, they are blocked :-( We add entries to /etc/hosts.allow to try to prevent this:
hostname ~ # emacs -nw /etc/hosts.allow # SFU IP ADDRESSES. Taken from http://whois.arin.net/rest/org/SFU-1/nets on March 6, 2012. GRP. #192.75.241.0/11 142.58.0.0/16 209.87.56.0/24 206.12.128.0/8 206.12.30.0/8 207.23.85.0/8 204.244.192.168/3 199.60.0.0/12 # SHAW IP ADDRESSES. Taken from http://whois.arin.net/rest/org/SHAWC/nets on March 6, 2012. GRP. #174.0.0.0/13 184.64.0.0/13 204.209.208.0/21 204.244.240.0/9 24.108.0.0/15 24.64.0.0/13 24.70.0.0/15 24.71.223.0/24 24.76.0.0/15 24.80.0.0/13 24.244.0.0/18 50.64.0.0/13 68.144.0.0/11 70.64.0.0/12 96.48.0.0/13 64.59.128.0/18 66.163.64.0/20 # TELUS IP ADDRESSES. Taken from http://whois.arin.net/rest/org/TACE/nets on March 6, 2012. GRP. #204.209.208.0/11 24.108.0.0/15 64.59.128.0/18 142.60.0.0/16 137.186.0.0/16 206.75.0.0/16 207.81.0.0/16 207.134.0.0/16 154.5.0.0/16 204.174.120.0/15 209.115.222.0/8 204.174.64.0/11 142.169.0.0/16 142.168.0.0/16 199.84.240.0/10 64.180.0.0/16 50.92.0.0/15 216.226.32.0/13 206.162.128.0/14 66.110.128.0/14 207.102.0.0/16 206.108.16.0/12 207.34.128.0/14 207.194.0.0/16 208.181.0.0/16 209.52.0.0/16 204.174.211.0/11 206.108.192.0/13 64.114.0.0/16 209.115.128.0/15 161.184.64.0/11 209.107.96.0/13 154.5.0.0/16 207.228.64.0/14 207.148.128.0/14 209.91.64.0/14 205.236.24.0/8 205.236.48.0/8 209.104.64.0/14 207.167.192.0/14 154.11.0.0/16 216.123.192.0/14 207.229.0.0/14 208.38.0.0/14 199.212.152.0/11 204.225.240.0/11 207.34.192.0/14 209.20.0.0/14 209.121.0.0/16 206.108.64.0/13 209.89.0.0/16 205.206.0.0/16 209.162.160.0/12 204.191.0.0/16 205.250.0.0/16 207.81.0.0/16 209.171.0.0/16 209.29.0.0/16 198.53.0.0/16 206.116.0.0/16 198.166.0.0/16 206.75.0.0/16 207.216.0.0/16 207.6.0.0/16 66.222.128.0/15 207.134.0.0/16 216.218.0.0/14 137.186.0.0/16 199.126.0.0/16 209.202.64.0/14 66.203.192.0/13 207.219.0.0/16 216.232.0.0/16 209.53.0.0/16 66.183.0.0/16 207.34.64.0/14 206.26.204.192/14 205.138.102.0/8 207.6.32.0/13 206.116.224.0/11 173.180.0.0/16 205.138.98.0/8 108.172.0.0/16 75.152.0.0/16 154.20.0.0/16 99.199.0.0/16 50.98.0.0/16 23.16.0.0/16 # DELTA CABLE IP ADDRESSES. Taken from http://whois.arin.net/rest/org/DLTA/nets on March 6, 2012. GRP. #24.207.0.0/15 SSHD: 127.0.0.1/8 192.75.241.0/11 142.58.0.0/16 209.87.56.0/24 206.12.128.0/8 206.12.30.0/8 207.23.85.0/8 204.244.192.168/3 199.60.0.0/12 174.0.0.0/13 184.64.0.0/13 204.209.208.0/21 204.244.240.0/9 24.108.0.0/15 24.64.0.0/13 24.70.0.0/15 24.71.223.0/24 24.76.0.0/15 24.80.0.0/13 24.244.0.0/18 50.64.0.0/13 68.144.0.0/11 70.64.0.0/12 96.48.0.0/13 64.59.128.0/18 66.163.64.0/20 204.209.208.0/11 24.108.0.0/15 64.59.128.0/18 142.60.0.0/16 137.186.0.0/16 206.75.0.0/16 207.81.0.0/16 207.134.0.0/16 154.5.0.0/16 204.174.120.0/15 209.115.222.0/8 204.174.64.0/11 142.169.0.0/16 142.168.0.0/16 199.84.240.0/10 64.180.0.0/16 50.92.0.0/15 216.226.32.0/13 206.162.128.0/14 66.110.128.0/14 207.102.0.0/16 206.108.16.0/12 207.34.128.0/14 207.194.0.0/16 208.181.0.0/16 209.52.0.0/16 204.174.211.0/11 206.108.192.0/13 64.114.0.0/16 209.115.128.0/15 161.184.64.0/11 209.107.96.0/13 154.5.0.0/16 207.228.64.0/14 207.148.128.0/14 209.91.64.0/14 205.236.24.0/8 205.236.48.0/8 209.104.64.0/14 207.167.192.0/14 154.11.0.0/16 216.123.192.0/14 207.229.0.0/14 208.38.0.0/14 199.212.152.0/11 204.225.240.0/11 207.34.192.0/14 209.20.0.0/14 209.121.0.0/16 206.108.64.0/13 209.89.0.0/16 205.206.0.0/16 209.162.160.0/12 204.191.0.0/16 205.250.0.0/16 207.81.0.0/16 209.171.0.0/16 209.29.0.0/16 198.53.0.0/16 206.116.0.0/16 198.166.0.0/16 206.75.0.0/16 207.216.0.0/16 207.6.0.0/16 66.222.128.0/15 207.134.0.0/16 216.218.0.0/14 137.186.0.0/16 199.126.0.0/ 16 209.202.64.0/14 66.203.192.0/13 207.219.0.0/16 216.232.0.0/16 209.53.0.0/16 66.183.0.0/16 207.34.64.0/14 206.26.204.192/14 205.138.102.0/8 207.6.32.0/13 206.116.224.0/11 173.180.0.0/16 205.138.98.0/8 108.172.0.0/16 75.152.0.0/16 154.20.0.0/16 99.199.0.0/16 50.98.0.0/16 23.16.0.0/16 24.207.0.0/15 ALL: 192.75.241.0/11 142.58.0.0/16 209.87.56.0/24 206.12.128.0/8 206.12.30.0/8 207.23.85.0/8 204.244.192.168/3 199.60.0.0/12
Turn It On
hostname ~ # /etc/init.d/denyhosts start
Problems?
Try:
hostname ~ # tail -f /var/log/denyhosts
Also - given the above settings, it takes one hour (1h) after starting the denyhost daemon before a sync to the denyhost-server is attempted.
And - if you're trying crazy-strict outgoing firewall rules, you may need to open to xmlrpc.denyhosts.net:9911.