How to secure a SSH / Secure Shell with denyhosts?
You don't know what SSH is? Look here: http://kamilski.com/2010/01/26/what-is-ssh-secure-shell/
Many server owners have a bad feeling when they think about SSH-access and the security of their server, because they are afraid that someone can break their password and abuse their server for warez or crash a big company site hosted on this server. There are many many bad things and scenarios which can happen to everyone of us. For some of us it would be a worst-case-scenario to lose the own server and as a result to lose money.
How do hackers/botnets attack?
The most attacks from hackers/bot nets are brute force attacks. First of all they try all words from a list of the most used passwords to guess the password for the root-account. If this fails they try to break your password by trying every combination from a specific dictionary. Some dictionaries have 1000 words, others 5 million. It depends on the hacker/botnet.
How can I secure my SSH-access?
Try DenyHosts
How does DenyHosts work?
Let's start with the auth.log file. The auth.log is a file that saves every (tried) access to your server. It looks something like this:
Nov 8 12:24:56 v229031102 sshd[2261]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=38.106.70.69 user=root
Nov 8 12:24:58 v229031102 sshd[2261]: Failed password for root from 38.106.70.69 port 52170 ssh2
Nov 8 12:24:59 v229031102 sshd[2314]: error writing /proc/self/oom_adj: Permission denied
As you can see it saves the user name, the IP and the process. Denyhosts checks every 30 seconds if there have been some failed access attempts to your server. It counts the failed accesses from one IP. If the failed access attempts have reached a specific number (standard is 5) denyhosts inserts the IP into the /etc/hosts.deny file. This file contains all IPs which are forbidden to access your server in any way. The maximum failed access attempts for the root-account are/is 1. The IP will be banned for a specific time (more info's later).
How do I install Denyhosts?
I will write the install instructions for Debian/Ubuntu, because most people are using Debian or Debian based Linux distributions. Install Denyhosts with the following command:
sudo apt-get install denyhosts
If you are allready root, use this:
apt-get install denyhosts
Change the directory to /etc/. Now open the "denyhosts.conf" with your favorite editor, for example nano:
nano denyhosts.conf
Search for "DAEMON_SLEEP = 30s". Here you can set the interval how often Denyhosts should check the auth.log file. With "PURGE_DENY = 1d" you can set the duration of the ban. It's your choice: set it to 1 month if you want, but remember that your hosts.deny file will grow and grow every day. The last option I want to present you is "DAEMON_PURGE = 1d". It starts the cleaning process of the hosts.deny file and deletes the aged entries. It´s enough if you start this process once a day.
When you are done, save the file with "CTRL+O" and exit with "CTRL+X". Restart the Denyhosts-daemon: "/etc/init.d/denyhosts restart"
Note: Some older Ubuntu versions don't have the hosts.deny file. You have to create it on your own: "touch /etc/hosts.deny".
