Just a place to braindump my thoughts, talk about IT and other random stuff.
If I setup a new Linux server I always find myself installing two programs right after installing OpenSSH. These programs are DenyHosts and Logwatch. Both programs are a nice addition if you want to keep your server a bit more secure. This howto will show you how to configure both DenyHosts and Logwatch. When we are done DenyHosts will block misbehaving hosts from accessing your server and Logwatch will send us a daily report of notable events that happened during the day.
NOTE: Before Logwatch is able to sent reports you need a way to sent email from your server. If you do not have a solution in place for this already I suggest you read one of the following two howto's to enable your server to sent email. The howto's are located here and here.
DenyHosts is a small script that scans SSH logs for misbehaving hosts and blocks them if they try to gain access to your server with password guessing attacks (also called brute force attacks). DenyHosts detects this brute force attempts in the SSH log file and places the attacking hosts in a file called '/etc/deny.hosts' which renders the attacking hosts unable to connect to SSH and optionally any other services your server provides to the outside world.
Logwatch is a small piece of software that scans your log files for any kind of strange behavior and emails a daily report to a specified email address or addresses.
First we will make sure DenyHosts will not lock us out of our own system if we type our password wrong. To do this we will add our own IP address to the file '/etc/hosts.allow'. We will grant access to all services our server provides to this IP address. To do this issue the following command form at the command line.
echo 'ALL: [Your.Ip.Address.Here]' >> /etc/hosts.allow
To install DenyHosts we issue the following command from the command line.
aptitude install denyhosts
We will also make some changes to the DenyHosts configuration file located at '/etc/denyhosts.conf'.
nano /etc/denyhosts.conf
Now change the following options in the configuration file to match the values below. Note that we set the option 'BLOCK_SERVICE' to 'ALL' this means that once an offending host is placed in '/etc/hosts.deny' it is blocked from accessing all services your server provides such as HTTP, FTP, email and SSH.
BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
HOSTNAME_LOOKUP=YES
If you followed one of my guides on setting up email or if you already have an email solution in place you can also enable email reports by changing the following settings to the values below.
ADMIN_EMAIL = [Your@Email.Here]
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <DenyHosts@[ServerName]
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]
After this we restart DenyHosts to make sure our new configuration is loaded.
/etc/init.d/denyhosts restart
I usually leave Logwatch to its default configuration and only change the email address to which reports are sent. So we just install it and change the email.
To install Logwatch issue the following command at the command line.
aptitude install Logwatch
To change the email address to which Logwatch sends reports open the following file.
nano /etc/cron.daily/00logwatch
And change the following line from
/usr/sbin/logwatch --mailto root
To
/usr/sbin/logwatch --mailto [Your@Email.Here]
When you done we make sure to restart cron so our changes take effect immediately.
/etc/init.d/cron restart
Now we are done setting up DenyHosts and Logwatch. DenyHosts will now block SSH brute force attacks and Logwatch will sent you an email report of some notable events that happened on your server during the day including a list of blocked IP addresses.