Linux Server Security: How to Prevent SSH attacks

 

When your Linux server is exposed to the Internet, it will be sniffed by scanning software on the Internet and tried to guess the SSH Login Password.

You will find that there are multiple SSH logon Failure records every day. Scan tools pose a threat to your server. You must set a complex logon password and block IP addresses that fail to log on multiple times, make it inaccessible to the server within a period of time.
DenyHosts can be used to prevent attempts to guess the SSH logon password. It will analyze log files such as/var/log/secure, when you find that the same IP address is used for multiple SSH password attempts, the IP address is recorded in/etc/hosts. deny file to automatically block the IP address.
DenyHosts official website is: http://denyhosts.sourcefor...
Install DenyHosts
[Root @ switch DenyHost] # ls-l
Total usage 44
-Rw ------- 1 root 42667 August 5 19:23 DenyHosts-2.6.tar.gz
[Root @ switch DenyHost] # tar-zxvf DenyHosts-2.6.tar.gz
DenyHosts-2.6/
DenyHosts-2.6/PKG-INFO
DenyHosts-2.6/denyhosts. py.
The DenyHosts-2.6/denyhosts. cfg-dist.
DenyHosts-2.6/setup. py
DenyHosts-2.6/DenyHosts/
DenyHosts-2.6/DenyHosts/prefs. py
DenyHosts-2.6/DenyHosts/report. py
DenyHosts-2.6/DenyHosts/lockfile. py
DenyHosts-2.6/DenyHosts/_ init _. py
DenyHosts-2.6/DenyHosts/plugin. py
DenyHosts-2.6/DenyHosts/denyfileutil. py
DenyHosts-2.6/DenyHosts/deny_hosts.py
DenyHosts-2.6/DenyHosts/regex. py
A DenyHosts-2.6/DenyHosts/sync. py
DenyHosts-2.6/DenyHosts/counter. py
DenyHosts-2.6/DenyHosts/old-daemon.py
DenyHosts-2.6/DenyHosts/util. py
DenyHosts-2.6/DenyHosts/daemon. py
DenyHosts-2.6/DenyHosts/python_version.py
DenyHosts-2.6/DenyHosts/allowedhosts. py
DenyHosts-2.6/DenyHosts/filetracker. py
DenyHosts-2.6/DenyHosts/loginattempt. py
DenyHosts-2.6/DenyHosts/restricted. py
DenyHosts-2.6/DenyHosts/purgecounter. py
DenyHosts-2.6/DenyHosts/version. py
DenyHosts-2.6/DenyHosts/constants. py
DenyHosts-2.6/CHANGELOG.txt
DenyHosts-2.6/LICENSE.txt
DenyHosts-2.6/daemon-control-dist
DenyHosts-2.6/plugins/
DenyHosts-2.6/plugins/README. contrib
DenyHosts-2.6/plugins/shorewall_allow.sh
DenyHosts-2.6/plugins/shorewall_deny.sh
DenyHosts-2.6/plugins/test_deny.py
A DenyHosts-2.6/scripts/
DenyHosts-2.6/scripts/restricted_from_invalid.py
DenyHosts-2.6/scripts/restricted_from_passwd.py
DenyHosts-2.6/README.txt.
DenyHosts-2.6/MANIFEST. in
 
[Root @ switch DenyHost] # cd DenyHosts-2.6
[Root @ switch DenyHosts-2.6] # ls
CHANGELOG.txt DenyHosts denyhosts. py MANIFEST. in plugins scripts
Daemon-control-dist denyhosts. cfg-dist LICENSE.txt PKG-INFO README.txt setup. py
 
[Root @ switch DenyHosts-2.6] # python setup. py install
Running install
Running build
Running build_py
Creating build
Creating build/lib
Creating build/lib/DenyHosts
Copying DenyHosts/deny_hosts.py-> build/lib/DenyHosts
Copying DenyHosts/denyfileutil. py-> build/lib/DenyHosts
Copying DenyHosts/version. py-> build/lib/DenyHosts
Copying DenyHosts/_ init _. py-> build/lib/DenyHosts
Copying DenyHosts/util. py-> build/lib/DenyHosts
Copying DenyHosts/constants. py-> build/lib/DenyHosts
Copying DenyHosts/restricted. py-> build/lib/DenyHosts
Copying DenyHosts/plugin. py-> build/lib/DenyHosts
Copying DenyHosts/sync. py-> build/lib/DenyHosts
Copying DenyHosts/prefs. py-> build/lib/DenyHosts
Copying DenyHosts/report. py-> build/lib/DenyHosts
Copying DenyHosts/filetracker. py-> build/lib/DenyHosts
Copying DenyHosts/python_version.py-> build/lib/DenyHosts
Copying DenyHosts/loginattempt. py-> build/lib/DenyHosts
Copying DenyHosts/allowedhosts. py-> build/lib/DenyHosts
Copying DenyHosts/regex. py-> build/lib/DenyHosts
Copying DenyHosts/purgecounter. py-> build/lib/DenyHosts
Copying DenyHosts/old-daemon.py-> build/lib/DenyHosts
Copying DenyHosts/daemon. py-> build/lib/DenyHosts
Copying DenyHosts/counter. py-> build/lib/DenyHosts
Copying DenyHosts/lockfile. py-> build/lib/DenyHosts
Running build_scripts
Creating build/scripts-2.3
Copying and adjusting denyhosts. py-> build/scripts-2.3
Changing mode of build/scripts-2.3/denyhosts. py from 644 to 755
Running install_lib
Creating/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/deny_hosts.py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/denyfileutil. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/version. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/_ init _. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/util. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/constants. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/restricted. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/plugin. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/sync. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/prefs. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/report. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/filetracker. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/python_version.py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/loginattempt. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/allowedhosts. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/regex. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/purgecounter. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/old-daemon.py>/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/daemon. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/counter. py->/usr/lib/python2.3/site-packages/DenyHosts
Copying build/lib/DenyHosts/lockfile. py->/usr/lib/python2.3/site-packages/DenyHosts
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/deny_hosts.py to deny_hosts.pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/denyfileutil. py to denyfileutil. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/version. py to version. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/_ init _. py to _ init _. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/util. py to util. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/constants. py to constants. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/restricted. py to restricted. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/plugin. py to plugin. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/sync. py to sync. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/prefs. py to prefs. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/report. py to report. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/filetracker. py to filetracker. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/python_version.py to python_version.pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/loginattempt. py to loginattempt. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/allowedhosts. py to allowedhosts. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/regex. py to regex. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/purgecounter. py to purgecounter. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/old-daemon.py to old-daemon.pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/daemon. py to daemon. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/counter. py to counter. pyc
Byte-compiling/usr/lib/python2.3/site-packages/DenyHosts/lockfile. py to lockfile. pyc
Running install_scripts
Copying build/scripts-2.3/denyhosts. py->/usr/bin
Changing mode of/usr/bin/denyhosts. py to 755
Running install_data
Creating/usr/share/denyhosts
Copying denyhosts. cfg-dist->/usr/share/denyhosts
Copying setup. py->/usr/share/denyhosts
Copying daemon-control-dist->/usr/share/denyhosts
Copying CHANGELOG.txt->/usr/share/denyhosts
Copying README.txt->/usr/share/denyhosts
Creating/usr/share/denyhosts/scripts
Copying scripts/restricted_from_invalid.py->/usr/share/denyhosts/scripts
Copying scripts/restricted_from_passwd.py->/usr/share/denyhosts/scripts
Creating/usr/share/denyhosts/plugins
Copying plugins/test_deny.py->/usr/share/denyhosts/plugins
Copying plugins/README. contrib->/usr/share/denyhosts/plugins
Copying plugins/shorewall_deny.sh->/usr/share/denyhosts/plugins
Copying plugins/shorewall_allow.sh->/usr/share/denyhosts/plugins
Copying LICENSE.txt->/usr/share/denyhosts
 
DenyHosts parameter configuration
[Root @ switch DenyHosts-2.6] # cd/usr/share/denyhosts/# DenyHosts default installation directory
[Root @ switch denyhosts] # cp denyhosts. cfg-dist denyhosts. cfg
[Root @ switch denyhosts] # vi denyhosts. cfg # DenyHosts configuration file
SECURE_LOG =/var/log/secure # ssh log File
 
# Format is: I [dhwmy]
# Where I is an integer (eg. 7)
# M = minutes
# H = hours
# D = days
# W = weeks
# Y = years
#
# Never purge:
PURGE_DENY = 50 m # How long will the blocked IP address be cleared?
 
HOSTS_DENY =/etc/hosts. deny # Write the blocked IP address to hosts. deny

BLOCK_SERVICE = sshd # blocked service name

DENY_THRESHOLD_INVALID = 1 # Number of Logon failures allowed for invalid users

DENY_THRESHOLD_VALID = 10 # Number of Logon failures allowed by common users

DENY_THRESHOLD_ROOT = 5 # number of failed root logon attempts
 
WORK_DIR =/usr/local/share/denyhosts/data # record the deny host or ip address to Work_dir.
 
DENY_THRESHOLD_RESTRICTED = 1 # Set the deny host to be written to this folder.
 
LOCK_FILE =/var/lock/subsys/denyhosts # record the pid started by DenyHOts to LOCK_FILE. Ensure that the service is properly started to prevent multiple services from being started at the same time.

HOSTNAME_LOOKUP = NO # Do You Want To reverse domain name resolution?

ADMIN_EMAIL = root@data.com # Set administrator email address

DAEMON_LOG =/var/log/denyhosts # Your Own log File
 
DAEMON_PURGE = 10 m # Set this item to the same as PURGE_DENY, which is also the time for clearing hosts. deniedssh users.
 
DenyHosts Startup File Configuration
[Root @ switch denyhosts] # cp daemon-control-dist daemon-control
[Root @ switch denyhosts] # chown root daemon-control
[Root @ switch denyhosts] # chmod 700 daemon-control
[Root @ switch denyhosts] #./daemon-control # DenyHosts Command Format
Usage:./daemon-control {start [args...] | stop | restart [args...] | status | debug | condrestart [args...]}
 
For a list of valid args refer:
$ Denyhosts. py -- help
[Root @ switch denyhosts] #./daemon-control start # start DenyHosts
Starting DenyHosts:/usr/bin/env python/usr/bin/denyhosts. py -- daemon -- config =/usr/share/denyhosts. cfg
If You Want To Enable Automatic startup of DenyHosts after each restart, you also need to make the following settings:
[Root @ switch denyhosts] # ln-s/usr/share/denyhosts/daemon-control/etc/init. d/denyhosts
[Root @ switch denyhosts] # chkconfig -- add denyhosts
[Root @ switch denyhosts] # chkconfig denyhosts on
[Root @ switch denyhosts] # chkconfig-level 2345 denyhosts on
Or modify the/etc/rc. local file:
Root @ switch denyhosts] # vi/etc/rc. local
Add the following command
/Usr/share/denyhosts/daemon-control start
 
[Root @ switch denyhosts] # tail-f/var/log/secure
Aug 5 19:20:51 switch sshd [5831]: Accepted password for root from: ffff: 192.168.1.31 port 1744 ssh2
Aug 5 19:21:00 switch sshd [5831]: Received disconnect from: ffff: 192.168.1.31: 0:
Aug 5 19:21:02 switch sshd [5865]: Accepted password for root from: ffff: 192.168.1.31 port 1745 ssh2
Aug 5 19:30:25 switch sshd [5865]: Received disconnect from: ffff: 192.168.1.31: 0:
Aug 5 19:33:48 switch sshd [5962]: Failed password for test from: ffff: 192.168.1.31 port 175