A step by step guide on how to install Denyhosts on FreeBSD

Installing denyhosts on FreeBSD is very simple and straight forward. Denyhosts can help you thwart SSH server attacks also known as dictionary based attacks and brute force attacks. It’s also capable of blocking other services as well.

Now before we start a word of advice. Don’t let yourself be lured into a false state of security here by thinking denyhosts is a good way to secure your server. It’s not. It’s a pretty neat program that can help you that’s all. It’s not intended as a replacement for a real Firewall. If you really want to secure your server place it behind a Firewall. That said let’s start installing denyhosts.

Right as mentioned this is quite simple. We will install denyhosts from ports.

When the option screen pops up [Screenshot] accept the default settings by hitting "Tab" and then "OK"

Depending on what you’ve already installed you may not receive all questions. Don’t worry something probably installed that component for you. Below are the default questions you normally get and the action you need to take.

gettext   [Screenshot]   Accept the default settings. Just hit "Tab" and press "OK"
libiconv   [Screenshot]   Accept the default settings. Just hit "Tab" and press "OK"

As Root

cd /usr/ports/security/denyhosts
make install clean

Next add the following 2 lines to your rc.conf file.

As Root

syslogd_flags="-c"
denyhosts_enable="YES"

Denyhosts normally logs to a file called "hosts.deniedssh" residing in /etc. This file is not being created when installing denyhosts. So we will need to do that ourselves.

As Root

touch /etc/hosts.deniedssh

Normal behavior is to block ssh and other login attempts monitored by denyhosts from the "hosts.allow" located in /etc.

As Root

vi /etc/hosts.allow

Find the following line at the top.

ALL : ALL : allow

And add the following above that line.

Add the following as root

sshd : /etc/hosts.deniedssh : deny

You hosts.allow should now look something like this.

Result

sshd : /etc/hosts.deniedssh : deny

ALL : ALL : allow

Right almost there.

All that’s left is to configure threshold values and what services should be blocked. The configuration file for denyhosts is called "denyhosts.conf" and is normally located in /usr/local/etc/. Now there’s a lot of things you can adjust and I recommend reading the FAQ on the denyhosts official homesite. Never the less here’s a couple adjustments just to get you started.

As root

vi /usr/local/etc/denyhosts.conf

Let’s edit what services we want to block when repeated login attempts occur.

Find the following lines.

###################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
#
# man 5 hosts_access for details
#
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
# BLOCK_SERVICE = ALL
# To block only sshd:
# BLOCK_SERVICE = sshd
# To only record the offending host and nothing else if using
# an auxilary file to list the hosts. Refer to:
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =
#
###################################################

Now you have a few options here. Remember to remove the "#" In front of the Service you want to use.

BLOCK_SERVICE = All "Not Recomended"
BLOCK_SERVICE = sshd "Recommended"

It is also possible to block more than one service using a line like below in this example ssh and ftp is being blocked. In theory it’s possible to block everything that you can parse through a TCP Wrapper.

To Block SSH And FTP use the following line.

BLOCK_SERVICE = sshd,ftpd

Next we want to set the threshold on when to apply the above action.

You need to modify the following lines to suit your needs or just stick with the default settings.

DENY_THRESHOLD_INVALID
DENY_THRESHOLD_VALID
DENY_THRESHOLD_ROOT
DENY_THRESHOLD_RESTRICTED

In order not to log yourself out which is a real pain in the backside especially when your server is located like 100 miles away. You should add at least 1 IP address which you use and that should never be locked out.

As root

touch /usr/local/share/denyhosts/data/allowed-hosts

Now just add the IP address or IP addresses that will never be blocked to the allowed-hosts file you just created. One IP Address pr. line.

Once your are done all that’s left is to start or restart Denyhosts.

Starting Denyhosts

sh /usr/local/etc/rc.d/denyhosts start

Restarting Denyhosts

sh /usr/local/etc/rc.d/denyhosts restart

Now all of the above is just to get you started with a working Denyhosts installation. There’s a lot more you can configure but I suggest visiting the official Denyhosts site for a more information on how to configure Denyhosts.