Block SSH Server Attacks Using DenyHosts

Secure Shell (SSH) stands as the cornerstone of remote server administration. It provides a secure channel for accessing and managing your servers. However, this essential service is also a prime target for malicious actors.

Brute-force attacks, where attackers systematically try numerous username and password combinations, pose a significant threat to SSH security. DenyHosts offers a straightforward, albeit older, approach to mitigating these attacks by automatically blocking IP addresses after repeated failed login attempts. This tutorial provides a detailed walk through of installing and configuring DenyHosts on the latest Ubuntu LTS Version 24.04.

Important Note ? It's crucial to understand that DenyHosts is no longer actively maintained and has known security limitations. Kindly consider its use carefully and explore modern alternatives if security is paramount.

Why DenyHosts?

DenyHosts operates by monitoring SSH login attempts. When a specific IP address exceeds a predefined threshold of failed login attempts (whether invalid usernames, valid usernames with incorrect passwords, or root login attempts), DenyHosts adds that IP address to the /etc/hosts.deny file. This effectively blocks further connections from that IP, thwarting brute-force attacks.

Important Considerations before Proceeding

Consider the following points before procceding with DenyHosts ?

• Maintenance Status ? DenyHosts is no longer actively maintained. This means it might not receive security updates, and newer attack methods might bypass it.
• Alternatives ? Modern systems often prefer fail2ban due to its active development and increased flexibility.
• Security Best Practices ? DenyHosts should be considered one layer of security. Always use strong passwords, disable password-based root login, and keep your system updated.

Installation and Configuration

Since DenyHosts isn't in the standard repositories, we'll install it from source.

Ubuntu 24.04:

Install Python3 (if not already installed) ?

sudo apt update
sudo apt install python3

Download and Extract ?

git clone https://github.com/denyhosts/denyhosts.git
cd denyhosts/

Install DenyHosts ?

sudo python3 setup.py install

Configure DenyHosts ?

sudo cp denyhosts.conf /etc/denyhosts.conf
sudo nano /etc/denyhosts.conf

Essential Settings ?

• SECURE_LOG: /var/log/auth.log
• HOSTS_DENY: /etc/hosts.deny
• DENY_THRESHOLD_INVALID: Number of invalid user attempts before blocking.
• DENY_THRESHOLD_VALID: Number of valid user, but incorrect password attempts.
• DENY_THRESHOLD_ROOT: Number of failed root login attempts.

Configure the Daemon

sudo ln -s /usr/bin/python3 /usr/bin/python

cp daemon-control-dist daemon-control

Edit the daemon-control file. You should only need to edit this section near the top ?

sudo nano daemon-control

Edit these to suit your configuration

DENYHOSTS_BIN   = "/usr/local/bin/denyhosts.py"
DENYHOSTS_LOCK  = "/run/denyhosts.pid"
DENYHOSTS_CFG   = "/etc/denyhosts.conf"
PYTHON_BIN = "/usr/bin/env python3"

Verify the paths to the DenyHosts binary, lock file, and configuration file.

sudo chmod 700 daemon-control

Start DenyHosts ?

sudo ./daemon-control start

auth.log Permissions

By adding denyhosts to the adm group, we grant the service the necessary permissions to read and analyze system log files to identify and block malicious IP addresses.

useradd denyhosts  # Create the user if it doesn't exist
usermod -aG adm denyhosts # Add denyhosts to the adm group

Conclusion

DenyHosts can provide a basic level of SSH protection. However, its unmaintained status presents potential security risks. It's crucial to consider these risks and explore modern alternatives like fail2ban. Regardless of the tool you choose, remember that security is a multi-layered approach. Strong passwords, disabling root login, regular system updates, and a properly configured firewall are all essential components of a secure server.