DenyHosts is a free opensource utility to secure your SuSE server or your openSUSE system from Brut-force attacks on the SSH server running on your system. DenyHosts works by updating the /etc/hosts.deny file on your SuSE or openSUSE system with the IP address of a host after a set number of failed login attempt from it.
The default is
5 failed login attempts for non existent user (in /etc/passwd) from a host
10 failed login attempts for a user that exists in /etc/passwd from a host
This is very useful on your corporate or Internet facing SuSE servers or even on your openSUSE at home where you are directly connected through your routers to the internet.
Prominent features include
Parses /var/log/secure to find all login attempts and filters failed and successful attempts.
Sync with Denyhosts server for known rogue IPs contributed by other users and to contribute to that list of your new entries
Records all failed login attempts for the user and offending host
Keeps track of each existent and non-existent user when a login attempt failed and the offending hosts and maintains in seperate files.
Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously. When the log file is rotated, the script will detect it and parse from the beginning.
Optionally sends an email of newly banned hosts and suspicious logins.
Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.
/etc/hosts.deny entries can be expired (purge) at a user specified time
To install DenyHosts, click the 1-click installers for your version of SuSE or openSUSE:
openSUSE 11.2
openSUSE 11.1
openSUSE 11.0
SLES/SLED 11
SLES/SLED 10
This should download the YMP file and launch Yast install wizard for you. Follow the wizard and complete the installation. Ths should install DenHosts binary under /usr/sbin/denyhosts.
opensuse:~ # which denyhosts
/usr/sbin/denyhosts
Make Denyhosts automatically run at startup as follows:
opensuse:~ # chkconfig denyhosts on
To manually start or stop Denyhosts,
STOP
opensuse:~ # rcdenyhosts stop
Shutting down DenyHosts done
START
opensuse:~ # rcdenyhosts start
Starting DenyHosts done
DenyHosts Sync
One of the great features is the Sync with DenyHosts server where you can download the known rogue IPs onto your hosts.deny file and you can also contribute new IP addresses that your system has blocked. This is however not enabled by default.
To enable Synchronization, edit /etc/denyhosts.conf file and uncomment the following lines:
# SYNC_SERVER (mandatory)
# SYNC_INTERVAL
# SYNC_UPLOAD (to upload to Denyhosts server)
# SYNC_DOWNLOAD (to download from DenyHosts server)
# SYNC_DOWNLOAD_THRESHOLD
# SYNC_DOWNLOAD_RESILIENCY
Once done, restart Denyhosts.
When running from command line to manually sync with the server stop Denyhosts if already running.
To run sync from command line:
opensuse:~ # denyhosts –sync
Also, there are a couple of known issues when running Denyhosts sync from the command line failing which you will encounter the following errors:
[Errno 2] No such file or directory: ‘/var/lib/denyhosts/sync-timestamp’
Error synchronizing data
name ‘info’ is not defined
and
Error synchronizing data
Sync instance has no attribute ‘get_denied_hosts’
To resolve this problem, edit the denyhosts scripts as follows and make the following changes:
opensuse:~ # vi `which denyhosts`
Add the following line right before the first “##########” line where various definitions are set:
info = logging.getLogger(“denyhosts”).info
and change the following part of the script
From
if sync_download:
new_hosts = sync.receive_new_hosts()
if new_hosts:
info(“received new hosts: %s”, str(new_hosts))
sync.get_denied_hosts()
sync.update_hosts_deny(new_hosts)
To
if sync_download:
new_hosts = sync.receive_new_hosts()
if new_hosts:
info(“received new hosts: %s”, str(new_hosts))
#sync.get_denied_hosts()
dh.get_denied_hosts()
#sync.update_hosts_deny(new_hosts)
dh.update_hosts_deny(new_hosts)
This should fix the command line sync problem. Once, the sync has completed successfully, you can see loads of entries in the /etc/hosts.deny file.
Click here to visit the project home.
Very helpful thanks, I installed the “one click” links via command line (no GUI available) using the following command:
su -c "OCICLI http://software.opensuse.org/ymp/network:utilities/openSUSE_11.3/denyhosts.ymp"
[Change the 11_3 to whatever version you are installing on]
Cheers!