HOWTO Setup Deny Hosts: Difference between revisions

From Research
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 4: Line 4:


== Setup ==
== Setup ==
* If ssh is not compiled '''tcpd''' you will need to edit make.conf and recompile.
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv net-misc/openssh'''
[ebuild  <font color=green>R</font> ] <font color=green>net-misc/openssh-x.x</font>  USE="<font color=red>'''tcpd'''</font><font color=blue></font>"
* There will be more USE flags listed in addition to '''tcpd''' but it is the only necessary flag for this setup.


  <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v denyhosts'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -v denyhosts'''
Line 18: Line 10:
Manually create a missing file:
Manually create a missing file:
  <font color=red>hostname</font> <font color=blue>~ #</font> '''touch /var/lib/denyhosts/sync-timestamp'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''touch /var/lib/denyhosts/sync-timestamp'''
Note:  this will produce an error on the first-sync, due to the empty-file (which, being empty, contains a non-compliant date):
2012-11-21 09:09:11,501 - sync        : ERROR    invalid literal for long() with base 10: ''
After a second sync (nominally 2hrs after the first time denyhosts is run) this error will disappear.


* Denyhosts can be run as a cron job, but we run it as as service:
* Denyhosts can be run as a cron job, but we run it as as service:
Line 29: Line 24:
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/denyhosts.conf'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/denyhosts.conf'''
   
   
  PURGE_DENY =2h
  SECURE_LOG = /var/log/auth.log ''or for some servers and all workstations: SECURE_LOG = /var/log/messages''
PURGE_THRESHOLD = 3
   
   
  BLOCK_SERVICE  = ALL
  BLOCK_SERVICE  = ALL
''REM out BLOCK_SERVICE''  = sshd
DENY_THRESHOLD_ROOT = 4
   
   
  SYSLOG_REPORT=YES
  SYSLOG_REPORT=YES
Line 48: Line 37:
   
   
  SYNC_DOWNLOAD = yes
  SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_THRESHOLD = 3
<br>
<br>
Problems arise when friendly folks attempt to access services and fail.  This is especially harsh when an automated tool attempts to re-access a service repeatedly with the failing credentials, and before the user can even react, they are blocked :-(  We add entries to /etc/hosts.allow to try to prevent this:
Problems arise when friendly folks attempt to access services and fail.  This is especially harsh when an automated tool attempts to re-access a service repeatedly with the failing credentials, and before the user can even react, they are blocked :-(  We add entries to /etc/hosts.allow to try to prevent this:
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/hosts.allow'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /var/lib/denyhosts/allowed-hosts'''
# SFU IP ADDRESSES.  Taken from http://whois.arin.net/rest/org/SFU-1/nets on March 6, 2012. GRP.
#192.75.241.0/11 142.58.0.0/16  209.87.56.0/24 206.12.128.0/8 206.12.30.0/8 207.23.85.0/8 204.244.192.168/3 199.60.0.0/12                                             
# SHAW IP ADDRESSES.  Taken from http://whois.arin.net/rest/org/SHAWC/nets on March 6, 2012. GRP.
#174.0.0.0/13 184.64.0.0/13 204.209.208.0/21 204.244.240.0/9 24.108.0.0/15 24.64.0.0/13 24.70.0.0/15 24.71.223.0/24 24.76.0.0/15 24.80.0.0/13 24.244.0.0/18 50.64.0.0/13 68.144.0.0/11 70.64.0.0/12 96.48.0.0/13 64.59.128.0/18 66.163.64.0/20                                                                                                           
# TELUS IP ADDRESSES.  Taken from http://whois.arin.net/rest/org/TACE/nets on March 6, 2012. GRP.
#204.209.208.0/11 24.108.0.0/15 64.59.128.0/18 142.60.0.0/16 137.186.0.0/16 206.75.0.0/16 207.81.0.0/16 207.134.0.0/16 154.5.0.0/16 204.174.120.0/15 209.115.222.0/8 204.174.64.0/11 142.169.0.0/16 142.168.0.0/16 199.84.240.0/10 64.180.0.0/16 50.92.0.0/15 216.226.32.0/13 206.162.128.0/14 66.110.128.0/14 207.102.0.0/16 206.108.16.0/12 207.34.128.0/14 207.194.0.0/16 208.181.0.0/16 209.52.0.0/16 204.174.211.0/11 206.108.192.0/13 64.114.0.0/16 209.115.128.0/15 161.184.64.0/11 209.107.96.0/13 154.5.0.0/16 207.228.64.0/14 207.148.128.0/14 209.91.64.0/14 205.236.24.0/8 205.236.48.0/8 209.104.64.0/14 207.167.192.0/14 154.11.0.0/16 216.123.192.0/14 207.229.0.0/14 208.38.0.0/14 199.212.152.0/11 204.225.240.0/11 207.34.192.0/14 209.20.0.0/14 209.121.0.0/16 206.108.64.0/13 209.89.0.0/16 205.206.0.0/16 209.162.160.0/12 204.191.0.0/16 205.250.0.0/16 207.81.0.0/16 209.171.0.0/16 209.29.0.0/16 198.53.0.0/16 206.116.0.0/16 198.166.0.0/16 206.75.0.0/16 207.216.0.0/16 207.6.0.0/16 66.222.128.0/15 207.134.0.0/16 216.218.0.0/14 137.186.0.0/16 199.126.0.0/16 209.202.64.0/14 66.203.192.0/13 207.219.0.0/16 216.232.0.0/16 209.53.0.0/16 66.183.0.0/16 207.34.64.0/14 206.26.204.192/14 205.138.102.0/8 207.6.32.0/13 206.116.224.0/11 173.180.0.0/16 205.138.98.0/8 108.172.0.0/16 75.152.0.0/16 154.20.0.0/16 99.199.0.0/16 50.98.0.0/16 23.16.0.0/16                                                                               
   
   
  # DELTA CABLE IP ADDRESSESTaken from http://whois.arin.net/rest/org/DLTA/nets on March 6, 2012. GRP.
  # the following line prevents DenyHosts from blocking SFU
  #24.207.0.0/15
sfu.ca
  iat.sfu.ca
142.58.0.1/16
  209.87.60.1/24
   
   
  SSHD: 127.0.0.1/8 192.75.241.0/11 142.58.0.0/16 209.87.56.0/24 206.12.128.0/8 206.12.30.0/8 207.23.85.0/8 204.244.192.168/3 199.60.0.0/12 174.0.0.0/13 184.64.0.0/13 204.209.208.0/21 204.244.240.0/9 24.108.0.0/15 24.64.0.0/13 24.70.0.0/15 24.71.223.0/24 24.76.0.0/15 24.80.0.0/13 24.244.0.0/18 50.64.0.0/13 68.144.0.0/11 70.64.0.0/12 96.48.0.0/13 64.59.128.0/18 66.163.64.0/20 204.209.208.0/11 24.108.0.0/15 64.59.128.0/18 142.60.0.0/16 137.186.0.0/16 206.75.0.0/16 207.81.0.0/16 207.134.0.0/16 154.5.0.0/16 204.174.120.0/15 209.115.222.0/8 204.174.64.0/11 142.169.0.0/16 142.168.0.0/16 199.84.240.0/10 64.180.0.0/16 50.92.0.0/15 216.226.32.0/13 206.162.128.0/14 66.110.128.0/14 207.102.0.0/16 206.108.16.0/12 207.34.128.0/14 207.194.0.0/16 208.181.0.0/16 209.52.0.0/16 204.174.211.0/11 206.108.192.0/13 64.114.0.0/16 209.115.128.0/15 161.184.64.0/11 209.107.96.0/13 154.5.0.0/16 207.228.64.0/14 207.148.128.0/14 209.91.64.0/14 205.236.24.0/8 205.236.48.0/8 209.104.64.0/14 207.167.192.0/14 154.11.0.0/16 216.123.192.0/14 207.229.0.0/14 208.38.0.0/14 199.212.152.0/11 204.225.240.0/11 207.34.192.0/14 209.20.0.0/14 209.121.0.0/16 206.108.64.0/13 209.89.0.0/16 205.206.0.0/16 209.162.160.0/12 204.191.0.0/16 205.250.0.0/16 207.81.0.0/16 209.171.0.0/16 209.29.0.0/16 198.53.0.0/16 206.116.0.0/16 198.166.0.0/16 206.75.0.0/16 207.216.0.0/16 207.6.0.0/16 66.222.128.0/15 207.134.0.0/16 216.218.0.0/14 137.186.0.0/16 199.126.0.0/ 16 209.202.64.0/14 66.203.192.0/13 207.219.0.0/16 216.232.0.0/16 209.53.0.0/16 66.183.0.0/16 207.34.64.0/14 206.26.204.192/14 205.138.102.0/8 207.6.32.0/13 206.116.224.0/11 173.180.0.0/16 205.138.98.0/8 108.172.0.0/16 75.152.0.0/16 154.20.0.0/16 99.199.0.0/16 50.98.0.0/16 23.16.0.0/16 24.207.0.0/15
  # the following line prevents DenyHosts from blocking admin from common offsite:
   
shaw.ca
  ALL:  192.75.241.0/11 142.58.0.0/16 209.87.56.0/24 206.12.128.0/8 206.12.30.0/8 207.23.85.0/8 204.244.192.168/3 199.60.0.0/12
telus.com
  deltacable.com
  teksavvy.com
  bell.ca
  rogers.ca


== Turn It On ==
== Turn It On ==


  <font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/denyhosts start'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/denyhosts start'''
Be patient - during startup, your specified log-file is read... this can take several ''minutes'', during which it may appear that DenyHosts isn't starting... it is, though.  Just wait.


== Problems? ==
== Problems? ==
Line 78: Line 64:
   <font color=red>hostname</font> <font color=blue>~ #</font> '''tail -f  /var/log/denyhosts'''
   <font color=red>hostname</font> <font color=blue>~ #</font> '''tail -f  /var/log/denyhosts'''
Also - given the above settings, it takes one hour (1h) after starting the denyhost daemon before a sync to the denyhost-server is attempted.
Also - given the above settings, it takes one hour (1h) after starting the denyhost daemon before a sync to the denyhost-server is attempted.
<br>
And - if you're trying crazy-strict '''outgoing''' firewall rules, you may need to open to xmlrpc.denyhosts.net:9911.

Latest revision as of 22:11, 27 February 2017

Purpose

Fail2ban, working in combination with iptables, is our favoured method of controlling crack-attempts. Fail2ban is reactionary though (responding as/after attacks occur), and is best-used only on a real server. Denyhosts makes use of a collaborative, on-line list of attackers, and can therefore be very pro-active in blocking crack-attempts. So, we're testing defence-in-depth by applying both fail2ban and denyhosts on some machines. In addition, our virtual servers (Gentoo Linux Vserver guests) cannot directly address hardware, do not run iptables, and cannot use fail2ban - Denyhosts is a great security addition to a Vserver-guest.

Setup

hostname ~ # emerge -v denyhosts
[ebuild   N ] app-admin/denyhosts-x.x

Manually create a missing file:

hostname ~ # touch /var/lib/denyhosts/sync-timestamp

Note: this will produce an error on the first-sync, due to the empty-file (which, being empty, contains a non-compliant date):

2012-11-21 09:09:11,501 - sync        : ERROR    invalid literal for long() with base 10: 

After a second sync (nominally 2hrs after the first time denyhosts is run) this error will disappear.

  • Denyhosts can be run as a cron job, but we run it as as service:
hostname ~ # rc-update add denyhosts default

Configure

  • There are several values to change in denyhosts.conf. Refer to the comments in this file for more information.
hostname ~ # emacs -nw /etc/denyhosts.conf

SECURE_LOG = /var/log/auth.log or for some servers and all workstations: SECURE_LOG = /var/log/messages

BLOCK_SERVICE  = ALL

SYSLOG_REPORT=YES

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

SYNC_INTERVAL = 1h

SYNC_UPLOAD = yes

SYNC_DOWNLOAD = yes


Problems arise when friendly folks attempt to access services and fail. This is especially harsh when an automated tool attempts to re-access a service repeatedly with the failing credentials, and before the user can even react, they are blocked :-( We add entries to /etc/hosts.allow to try to prevent this:

hostname ~ # emacs -nw /var/lib/denyhosts/allowed-hosts

# the following line prevents DenyHosts from blocking SFU
sfu.ca
iat.sfu.ca
142.58.0.1/16
209.87.60.1/24

# the following line prevents DenyHosts from blocking admin from common offsite:
shaw.ca
telus.com
deltacable.com
teksavvy.com
bell.ca
rogers.ca

Turn It On

hostname ~ # /etc/init.d/denyhosts start

Be patient - during startup, your specified log-file is read... this can take several minutes, during which it may appear that DenyHosts isn't starting... it is, though. Just wait.

Problems?

Try:

 hostname ~ # tail -f  /var/log/denyhosts

Also - given the above settings, it takes one hour (1h) after starting the denyhost daemon before a sync to the denyhost-server is attempted.
And - if you're trying crazy-strict outgoing firewall rules, you may need to open to xmlrpc.denyhosts.net:9911.