HOWTO Setup Deny Hosts: Difference between revisions

From Research
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
== Purpose ==
== Purpose ==


Fail2ban, working in combination with Iptables, is a superior method of controlling hacking activities. However, our virtual servers cannot directly address hardware. As a work-around
Fail2ban, working in combination with Iptables, is a superior method of controlling hacking activities. However, our virtual servers cannot directly address hardware. As a work-around, denyhosts approximates the function of Fail2ban and Iptables.
 
== Setup ==




Line 14: Line 16:
  [ebuild  <font color=green>N</font> ] <font color=green>app-admin/denyhosts-x.x</font>
  [ebuild  <font color=green>N</font> ] <font color=green>app-admin/denyhosts-x.x</font>


* Denyhosts can be run as a cron job, but our virtual servers run it as as service.
<font color=red>hostname</font> <font color=blue>~ #</font> '''rc-update add denyhosts default'''


emerge -vp denyhosts
== Configure ==


rc-update add denyhosts default
* There are several values to change in denyhosts.conf. Refer to the comments in this file for more information.


vi /etc/denyhosts.conf
<font color=red>hostname</font> <font color=blue>~ #</font> '''vi /etc/denyhosts.conf'''


PURGE_DENY =2h
PURGE_DENY =2h
Line 27: Line 32:
BLOCK_SERVICE  = ALL
BLOCK_SERVICE  = ALL


REM out BLOCK_SERVICE  = sshd
''REM out BLOCK_SERVICE'' = sshd


DENY_THRESHOLD_ROOT = 4
DENY_THRESHOLD_ROOT = 4
Line 43: Line 48:
SYNC_DOWNLOAD_THRESHOLD = 3
SYNC_DOWNLOAD_THRESHOLD = 3


/etc/init.d/denyhosts start
== Turn It On ==
 
 
 
 
== Purpose ==
 
TCPWrappers can effectively control access to services which have tcpwrapper support compiled in.  The controlling daemon is '''tcpd''', which is automatically pulled in whenever the '''tcpd''' USE flag in enabled (Gentoo Linux).
 
== Setup ==
In this example, we'll use the SSH (Secure Shell) daemon, because it's one of the first services we want to have secured.<br>
 
First, verify that SSH has tcpwrapper support (tcpd flag indicates it does, in this example):
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv net-misc/openssh'''
[ebuild  <font color=yellow>R</font>    ] <font color=green>net-misc/openssh-4.3_p2-r5</font>  USE="<font color=red>ipv6 ldap pam '''tcpd'''</font><font color=blue> -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static</font>"
 
== Configure ==
 
The goal with SSH and tcpwrappers is to allow anyone within the SFU IP-address range to have access to SSH, and deny everyone else.  We'll do this by editing the '''/etc/hosts.deny''' file (which won't initially exist, but once created - it will be in effect.  There is no need to re-start the sshd daemon, because hosts.deny is consulted on each connect-attempt, and is therefore immediately in-effect after saving).  Here's an example:


  # /etc/hosts.deny    This file describes the names of the hosts which are
  <font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/denyhosts start'''
#                    *not* allowed to use the specified services, as decided
#                    by the '/usr/sbin/tcpd' server.
# Authour:  Gordon Pritchard <gordonp@sfu.c

Revision as of 04:42, 16 April 2008

Purpose

Fail2ban, working in combination with Iptables, is a superior method of controlling hacking activities. However, our virtual servers cannot directly address hardware. As a work-around, denyhosts approximates the function of Fail2ban and Iptables.

Setup

  • If ssh is not compiled tcpd you will need to edit make.conf and recompile.
hostname ~ # emerge -pv net-misc/openssh
[ebuild   R ] net-misc/openssh-x.x  USE="tcpd"
  • There will be more USE flags listed in addition to tcpd but it is the only necessary flag for this setup.
hostname ~ # emerge -v denyhosts
[ebuild   N ] app-admin/denyhosts-x.x
  • Denyhosts can be run as a cron job, but our virtual servers run it as as service.
hostname ~ # rc-update add denyhosts default

Configure

  • There are several values to change in denyhosts.conf. Refer to the comments in this file for more information.
hostname ~ # vi /etc/denyhosts.conf

PURGE_DENY =2h

PURGE_THRESHOLD = 3

BLOCK_SERVICE = ALL

REM out BLOCK_SERVICE = sshd

DENY_THRESHOLD_ROOT = 4

SYSLOG_REPORT=YES

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

SYNC_INTERVAL = 1h

SYNC_UPLOAD = yes

SYNC_DOWNLOAD = yes

SYNC_DOWNLOAD_THRESHOLD = 3

Turn It On

hostname ~ # /etc/init.d/denyhosts start
Retrieved from "https://research.wiki.iat.sfu.ca/research/index.php?title=HOWTO_Setup_Deny_Hosts&oldid=4640"