InstallDenyHostsOnSlackware

Install Deny Hosts on Slackware 13.1

Yes, it's just another day at the office, you SSH into your own private server (running Slackware, of course!), at you stumble upon this in your /var/log/message:

Oct 26 12:06:15 udon sshd[1647]: reverse mapping checking getaddrinfo for 226.229.84.115.ids.service.eastern-tele.com [115.84.229.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 12:06:15 udon sshd[1647]: Failed password for root from 115.84.229.226 port 54308 ssh2
Oct 26 12:06:18 udon sshd[1649]: reverse mapping checking getaddrinfo for 226.229.84.115.ids.service.eastern-tele.com [115.84.229.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 12:06:18 udon sshd[1649]: Failed password for root from 115.84.229.226 port 54507 ssh2
Oct 26 12:06:21 udon sshd[1651]: reverse mapping checking getaddrinfo for 226.229.84.115.ids.service.eastern-tele.com [115.84.229.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 12:06:21 udon sshd[1651]: Failed password for root from 115.84.229.226 port 54697 ssh2
Oct 26 12:06:24 udon sshd[1653]: reverse mapping checking getaddrinfo for 226.229.84.115.ids.service.eastern-tele.com [115.84.229.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 12:06:24 udon sshd[1653]: Failed password for root from 115.84.229.226 port 54905 ssh2
Oct 26 12:06:26 udon sshd[1655]: reverse mapping checking getaddrinfo for 226.229.84.115.ids.service.eastern-tele.com [115.84.229.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 12:06:26 udon sshd[1655]: Invalid user reception from 115.84.229.226
Oct 26 12:06:26 udon sshd[1655]: Failed password for invalid user reception from 115.84.229.226 port 55111 ssh2
Oct 26 12:06:29 udon sshd[1657]: reverse mapping checking getaddrinfo for 226.229.84.115.ids.service.eastern-tele.com [115.84.229.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 12:06:29 udon sshd[1657]: Invalid user postgres from 115.84.229.226
Oct 26 12:06:29 udon sshd[1657]: Failed password for invalid user postgres from 115.84.229.226 port 55313 ssh2
Oct 26 12:06:32 udon sshd[1659]: reverse mapping checking getaddrinfo for 226.229.84.115.ids.service.eastern-tele.com [115.84.229.226] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 26 12:06:32 udon sshd[1659]: Invalid user postgres from 115.84.229.226
Oct 26 12:06:32 udon sshd[1659]: Failed password for invalid user postgres from 115.84.229.226 port 55510 ssh2

Yup, somebody noticed your server had port 22 open to the Internet, and is very busy trying to get in (with all the wrong logins, of course). So what is a poor sysadmin to do? Install Deny Hosts, of course!

Fortunately, this is very easy to do on Slackware, not just because Slackware is good, but also because Deny Hosts itself is excellent:

1. Download and unpack the latest distribution

Come on, lazy slacker, click on this link to download the latest version.

Then, the usual:

gil@udon:~/files/download/$ tar xvzf DenyHosts-2.6.tar.gz
gil@udon:~/files/download$ cd DenyHosts-2.6

So far, so good. Now, as root:

gil@udon:~/files/download/DenyHosts-2.6$ sudo python ./setup.py install

Deny Hosts is now installed.

2. Configure the whole thing

Fairly easy -- read the "README.txt" file, and you will note that:

gil@udon:~/files/download/DenyHosts-2.6$ ls /usr/bin/deny*
/usr/bin/denyhosts.py*

While this is fairly non-standard (/usr/local/ or /opt/ seem better choices) at least it's logical.

As is said in the documentation, only two files need to be changed: the main configuration /usr/share/denyhosts/denyhosts.cfg and the daemon controller /usr/share/denyhosts/daemon-control.

Modify the configuration as you see fit, but remember that Slackware stores the PID of Deny Hosts in /var/run/denyhosts.pid, and that both configuration files need to point to this PID file. It is indicated in the Deny Hosts configuration as the "Debian" option.

A very good thing is to lower the delay between each check of the /var/log/messages file by Deny Hosts. This is the DAEMON_SLEEP value, and I lowered it to 4 seconds (DAEMON_SLEEP = 4s), instead of the standard 10 seconds. Please note that 4 seconds is already time enough for a bot to try to login into your machine dozens of time. As far as I am concerned, 10 seconds is way too long.

Finally, under Slackware all sshd messages are logged under /var/log/messages -- in the Deny Hosts configuration file this is the SUSE option.

3. Create a script to start Deny Hosts automatically

Here is the tricky part, since Slackware does not incorporate all the system scripts you can find under other Linux distros. This is a wise decision, as far as I am concerned, and creating a custom Deny Hosts script is simple and easy.

Here is mine, which was inspired by the original Slackware /etc/rc.d/rc.ntpd script:

#!/bin/sh
# Start/stop/restart Deny Hosts

# Start Deny Hosts:
dnh_start() {
  CMDLINE="/usr/share/denyhosts/daemon-control"
  echo "Starting Deny Hosts daemon:  $CMDLINE"
  $CMDLINE start
  echo
}

# Stop Deny Hosts:
dnh_stop() {
  CMDLINE="/usr/share/denyhosts/daemon-control"
  echo "Stopping Deny Hosts daemon:  $CMDLINE"
  $CMDLINE stop
  echo
}

# Restart Deny Hosts:
dnh_restart() {
  dnh_stop
  sleep 1
  dnh_start
}

# Check if Deny Hosts is running
dnh_status() {
  CMDLINE="/usr/share/denyhosts/daemon-control"
  $CMDLINE status
  echo
}

case "$1" in
'start')
  dnh_start
  ;;
'stop')
  dnh_stop
  ;;
'restart')
  dnh_restart
  ;;
'status')
  dnh_status
  ;;
*)
  echo "usage $0 start|stop|restart|status"
esac

Put this file in /etc/rc.d/, make it executable, and you are in business!

Take a look at the /var/log/messages and you should see a short entry whenever Deny Hosts blocks a script kiddie:

root@udon:~# grep -i denyhosts /var/log/messages
Oct 27 15:42:00 udon denyhosts: Added the following hosts to /etc/hosts.deny - 115.84.229.226
Oct 27 15:42:00 udon denyhosts: Added the following hosts to /etc/hosts.deny - 221.207.229.6

And you can also check this in the TCP Wrappers file /etc/hosts.deny:

root@udon:~# cat /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# Version:      @(#)/etc/hosts.deny     1.00    05/28/93
#
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#

# DenyHosts: Thu Oct 27 15:42:00 2011 | sshd: 115.84.229.226
sshd: 115.84.229.226
# DenyHosts: Thu Oct 27 15:42:00 2011 | sshd: 221.207.229.6
sshd: 221.207.229.6

Eat that, you dumb bot! No more cracking attempts for you!

4. Add a whitelist if needed

On the other hand, if, like me, you sometimes type your password a little bit too fast, and have paranoid default in your deny host configuration, you may find yourself locked out of your server. To whitelist a machine simply add a file named allowed-hosts in the /usr/share/denyhosts/data directory, with just the IP address of the machine you want to be always allowed to connect. This is also useful if you have a lot of Failed publickey message from ssh in your /var/log/messages log.

5. Add deny hosts in your /etc/rc.d/rc.inet2 file

If forgot this in the first version of this page - and it's rather important - if you want Deny Hosts to start every time, you need to add an entry in the /etc/rc.d/rc.inet2 configuration file. Here is mine, as an example:

# Start the OpenSSH SSH daemon:
if [ -x /etc/rc.d/rc.sshd ]; then
  echo "Starting OpenSSH SSH daemon:  /usr/sbin/sshd"
  /etc/rc.d/rc.sshd start
fi

# Since we are starting SSH, start DenyHosts   ;-)
# ---- ADDED by GIL 2011/12/13 ----
if [ -x /etc/rc.d/rc.denyhosts ]; then
  echo "Starting Deny Hosts:"
  /etc/rc.d/rc.denyhosts start
fi

It makes sense to start Deny Hosts right after SSH, since it is supposed to ''protect'' SSH from the unwanted attention of script kiddies. And there you have it: Deny Hosts will protect your server even if it reboots!

See Also: