Protecting SSH With Denyhosts

SecureSHell (SSH) is one of the most important tools on a Linux server, and can  be managed remotely from anywhere with an internet connection. Unfortunately, because a user with access to a server via SSH can have full control of that server, this makes SSH a common target for hackers to attack.

Restricting IP Addresses

The commonly given advice is to use your firewall to lock down SSH access to just a few specific IPs that you know you will be connecting from. While this works very well and is a great way to secure SSH, there can be some situations where it isn’t always a practical solution in that an alternative IP might need to be used, so an alternative is required. This is where Denyhosts comes in.

Working with Denyhosts

Denyhosts is a simple tool that monitors your log files for failed attempts to connect to the server via SSH. It then uses various thresholds to block the connecting IP based on whether the login attempt was as the root user, a valid user for the system or an invalid user (one that doesn’t exist). If the connection attempts for a specific IP exceeds one of the thresholds, then it will be added to the system’s /etc/hosts.deny file which will block future access attempts from that IP.

Installing Denyhosts

Installing Denyhosts is fairly straightforward; on Debian and Ubuntu systems it is featured in the default repositories. Installation is as simple as:
sudo apt-get update
sudo apt-get install denyhosts
For CentOS and Red Hat systems, Denyhosts is not in the default repositories but does feature in the Fedora Project’s EPEL repositories. If you’ve not enabled that repository then you can do so with the following command:
sudo yum install epel-release
With the EPEL repository enabled, you can now install Denyhosts:
sudo yum install denyhosts
With Denyhosts installed, it’s advisable to make sure you whitelist your IP or (if you don’t have a static IP) a known safe IP you can connect from if you get blocked out, such as a known secure VPN endpoint. This whitelisting is done by editing the /etc/hosts.allow file:
sudo nano /etc/hosts.allow
Then add a line as below:
sshd: 1.2.3.4
Remember to replace 1.2.3.4 with the actual IP that you want to whitelist. If you want to whitelist more than one IP you can separate them with commas as follows:
sshd: 1.2.3.4, 1.2.3.5, 1.2.3.6
Once you have added your IPs to the file you can save and exit it.

Configuring Denyhosts

Configuration for Denyhosts is managed through the /etc/denyhosts.conf file. On all the systems I tested on, it was really well documented, and with clear explanations as to what the options do and how they work. For most usage the default settings will be perfectly fine, though it’s worth taking the time to familiarise yourself with it so that you are aware of what it can be used for.
Denyhosts does have a helpful function in that it can synchronize its list of hosts to deny through a centralized server. This means that all users of Denyhosts can benefit from each other’s usage. Once Denyhosts on a system decides that an IP address needs to be blocked, it is synchronized to the central server where other servers running Denyhosts can find it and add it to their deny lists. This can mean an attacker is stopped before they even attack your server. This option is off in the default configurations, but can be enabled by removing the hash (#) symbol at the start of the line containing “SYNC SERVER”. Once you make a change to the configuration you’ll need to restart Denyhosts with:
systemctl restart denyhosts
Assuming you’ve not made any changes to the configuration file, on Debian and Ubuntu systems Denyhosts will have started automatically when installed, but for CentOS and Red Hat systems you’ll need to start it yourself:
sudo systemctl start denyhosts
On either system, to ensure that Denyhosts is enabled to start automatically following a reboot use the following command:
sudo systemctl enable denyhosts
With that you are done! Denyhosts is now watching your log files for failed login attempts and is ready to block any IP addresses that appear to be trying to brute force SSH connections to your server.
If you find a legitimate user has been blocked from accessing the server, you can resolve this by simply removing the line containing their IP from the /etc/hosts.deny file.