HOWTO Setup Deny Hosts

From Research
Revision as of 04:28, 16 April 2008 by Jjaythomas (talk | contribs)
Jump to navigation Jump to search

Purpose

Fail2ban, working in combination with Iptables, is a superior method of controlling hacking activities. However, our virtual servers cannot directly address hardware. As a work-around


  • If ssh is not compiled tcpd you will need to edit make.conf and recompile.
hostname ~ # emerge -pv net-misc/openssh
[ebuild   R ] net-misc/openssh-x.x  USE="tcpd"
  • There will be more USE flags listed in addition to tcpd but it is the only necessary flag for this setup.
hostname ~ # emerge -v denyhosts
[ebuild   N ] app-admin/denyhosts-x.x


emerge -vp denyhosts

rc-update add denyhosts default

vi /etc/denyhosts.conf

PURGE_DENY =2h

PURGE_THRESHOLD = 3

BLOCK_SERVICE = ALL

REM out BLOCK_SERVICE = sshd

DENY_THRESHOLD_ROOT = 4

SYSLOG_REPORT=YES

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

SYNC_INTERVAL = 1h

SYNC_UPLOAD = yes

SYNC_DOWNLOAD = yes

SYNC_DOWNLOAD_THRESHOLD = 3

/etc/init.d/denyhosts start



Purpose

TCPWrappers can effectively control access to services which have tcpwrapper support compiled in. The controlling daemon is tcpd, which is automatically pulled in whenever the tcpd USE flag in enabled (Gentoo Linux).

Setup

In this example, we'll use the SSH (Secure Shell) daemon, because it's one of the first services we want to have secured.

First, verify that SSH has tcpwrapper support (tcpd flag indicates it does, in this example): 

hostname ~ # emerge -pv net-misc/openssh
[ebuild   R    ] net-misc/openssh-4.3_p2-r5  USE="ipv6 ldap pam tcpd -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static"

Configure

The goal with SSH and tcpwrappers is to allow anyone within the SFU IP-address range to have access to SSH, and deny everyone else. We'll do this by editing the /etc/hosts.deny file (which won't initially exist, but once created - it will be in effect. There is no need to re-start the sshd daemon, because hosts.deny is consulted on each connect-attempt, and is therefore immediately in-effect after saving). Here's an example: 

# /etc/hosts.deny    This file describes the names of the hosts which are
#                    *not* allowed to use the specified services, as decided
#                     by the '/usr/sbin/tcpd' server.

# Authour:  Gordon Pritchard <gordonp@sfu.c
Retrieved from "https://research.iat.sfu.ca/research/index.php?title=HOWTO_Setup_Deny_Hosts&oldid=4639"