SUSE & openSUSE

DenyHosts is a free opensource utility to secure your SuSE server or your openSUSE system from Brut-force attacks on the SSH server running on your system. DenyHosts works by updating the /etc/hosts.deny file on your SuSE or openSUSE system with the IP address of a host after a set number of failed login attempt from it.

The default is

5 failed login attempts for non existent user (in /etc/passwd) from a host

10 failed login attempts for a user that exists in /etc/passwd from a host

This is very useful on your corporate or Internet facing SuSE servers or even on your openSUSE at home where you are directly connected through your routers to the internet.

Prominent features include

Parses /var/log/secure to find all login attempts and filters failed and successful attempts.

Sync with Denyhosts server for known rogue IPs contributed by other users and to contribute to that list of your new entries

Records all failed login attempts for the user and offending host

Keeps track of each existent and non-existent user when a login attempt failed and the offending hosts and maintains in seperate files.

Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)

Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously. When the log file is rotated, the script will detect it and parse from the beginning.

Optionally sends an email of newly banned hosts and suspicious logins.

Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.

/etc/hosts.deny entries can be expired (purge) at a user specified time

To install DenyHosts, click the 1-click installers for your version of SuSE or openSUSE:

openSUSE 11.2

openSUSE 11.1

openSUSE 11.0

SLES/SLED 11

SLES/SLED 10

This should download the YMP file and launch Yast install wizard for you. Follow the wizard and complete the installation. Ths should install DenHosts binary under /usr/sbin/denyhosts.

opensuse:~ # which denyhosts
/usr/sbin/denyhosts

Make Denyhosts automatically run at startup as follows:

opensuse:~ # chkconfig denyhosts on

To manually start or stop Denyhosts,

STOP

opensuse:~ # rcdenyhosts stop
Shutting down DenyHosts                            done

START

opensuse:~ # rcdenyhosts start
Starting DenyHosts                            done

DenyHosts Sync

One of the great features is the Sync with DenyHosts server where you can download the known rogue IPs onto your hosts.deny file and you can also contribute new IP addresses that your system has blocked. This is however not enabled by default.

To enable Synchronization, edit /etc/denyhosts.conf file and uncomment the following lines:

# SYNC_SERVER (mandatory)
# SYNC_INTERVAL
# SYNC_UPLOAD (to upload to Denyhosts server)
# SYNC_DOWNLOAD (to download from DenyHosts server)
# SYNC_DOWNLOAD_THRESHOLD
# SYNC_DOWNLOAD_RESILIENCY

Once done, restart Denyhosts.

When running from command line to manually sync with the server stop Denyhosts if already running.

To run sync from command line:

opensuse:~ # denyhosts –sync

Also, there are a couple of known issues when running Denyhosts sync from the command line failing which you will encounter the following errors:

[Errno 2] No such file or directory: ‘/var/lib/denyhosts/sync-timestamp’
Error synchronizing data
name ‘info’ is not defined

and

Error synchronizing data
Sync instance has no attribute ‘get_denied_hosts’

To resolve this problem, edit the denyhosts scripts as follows and make the following changes:

opensuse:~ # vi `which denyhosts`

Add the following line right before the first “##########” line where various definitions are set:

info = logging.getLogger(“denyhosts”).info

and change the following part of the script

From

if sync_download:
new_hosts = sync.receive_new_hosts()
if new_hosts:
info(“received new hosts: %s”, str(new_hosts))
sync.get_denied_hosts()
sync.update_hosts_deny(new_hosts)

To

if sync_download:
new_hosts = sync.receive_new_hosts()
if new_hosts:
info(“received new hosts: %s”, str(new_hosts))
#sync.get_denied_hosts()
dh.get_denied_hosts()
#sync.update_hosts_deny(new_hosts)
dh.update_hosts_deny(new_hosts)

This should fix the command line sync problem. Once, the sync has completed successfully, you can see loads of entries in the /etc/hosts.deny file.

Click here to visit the project home.