How to I block and stop attacks on ssh server under CentOS Linux or Red Hat Enterprise Linux server 5.x?
You can easily thwart SSH server attacks including dictionary based attacks and brute force attacks using denyhosts software.
It is a Python based script that analyzes the sshd server logmessages to determine what hosts are attempting to hack into yoursystem.
Step #1: Enable Rpmforge Repo
First, enable rpoforge repo. For 32bit CentOS / RHEL Linux enter:# rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
IF THE ABOVE IS NOT WORK THAN PLEASE USE THIS ONE :rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.i386.rpm
For 64 bit CentOS / RHEL 5 Linux, enter:
# rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
IF THE ABOVE IS NOT WORK THAN PLEASE USE THIS ONE :
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
Step #2: Install Denyhosts
Type the following command:
# yum -y install denyhosts
Step #3: Configure Denyhosts
The default configuration file is located at /etc/denyhosts/denyhosts.cfg.Allow Your Computer To Access sshd
You need to setup a whitelist so that you never want to block yourself using this script. Edit /etc/hosts.allow, enter:
# vi /etc/hosts.allow
Allow sshd from 202.54.1.2 and 203.51.2.3:Save and close the file.sshd: 202.54.1.2 203.51.2.3
Setup Alert Email ID
Edit /etc/denyhosts/denyhosts.cfg, enter:
# vi /etc/denyhosts/denyhosts.cfg
If you would like to receive emails regarding newly restricted hostsand suspicious logins, set this address to match your email address. Ifyou do not want to receive these reports # leave this field blank (orrun with the --noemail option). Multiple email addresses can bedelimited by a comma, eg:ADMIN_EMAIL = pctipsbyanu@yahoo.com, pctipsbyanu@gmail.com
ADMIN_EMAIL = pctipsbyanu@gmail.com
Save and close the file. Here is my own sample configuration filefor RHEL / CentOS 5.x server / vps box - config file is documented verywell, just open and read it:
############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 7d
BLOCK_SERVICE = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = pctipsbyanu@yahoo.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
######### THESE SETTINGS ARE SPECIFIC TO ##########
######### DAEMON SYNCHRONIZATION ##########
Turn On Denyhosts
Type the following commands:
# chkconfig denyhosts on
# service denyhosts start
How do I view Denyhosts Log?
Type the command:
# tail -f /var/log/denyhosts
# tail -f /var/log/secure
0 comments:
Post a Comment