freebsdrocks.net was started originally as nospam.mine.nu.
A step by step guide on how to install Denyhosts on FreeBSD
Installing denyhosts on FreeBSD is very simple and straight forward. Denyhosts can help you thwart SSH server attacks also known as dictionary based attacks and brute force attacks. It’s also capable of blocking other services as well.
Now before we start a word of advice. Don’t let yourself be lured into a false state of security here by thinking denyhosts is a good way to secure your server. It’s not. It’s a pretty neat program that can help you that’s all. It’s not intended as a replacement for a real Firewall. If you really want to secure your server place it behind a Firewall. That said let’s start installing denyhosts.
Right as mentioned this is quite simple. We will install denyhosts from ports.
When the option screen pops up [Screenshot] accept the default settings by hitting "Tab" and then "OK"
Depending on what you’ve already installed you may not receive all questions. Don’t worry something probably installed that component for you. Below are the default questions you normally get and the action you need to take.
gettext | [Screenshot] | Accept the default settings. Just hit "Tab" and press "OK" | ||
libiconv | [Screenshot] | Accept the default settings. Just hit "Tab" and press "OK" |
cd /usr/ports/security/denyhosts
make install clean
Next add the following 2 lines to your rc.conf file.
syslogd_flags="-c"
denyhosts_enable="YES"
Denyhosts normally logs to a file called "hosts.deniedssh" residing in /etc. This file is not being created when installing denyhosts. So we will need to do that ourselves.
touch /etc/hosts.deniedssh
Normal behavior is to block ssh and other login attempts monitored by denyhosts from the "hosts.allow" located in /etc.
vi /etc/hosts.allow
ALL : ALL : allow
And add the following above that line.
sshd : /etc/hosts.deniedssh : deny
You hosts.allow should now look something like this.
sshd : /etc/hosts.deniedssh : deny
ALL : ALL : allow
Right almost there.
All that’s left is to configure threshold values and what services should be blocked. The configuration file for denyhosts is called "denyhosts.conf" and is normally located in /usr/local/etc/. Now there’s a lot of things you can adjust and I recommend reading the FAQ on the denyhosts official homesite. Never the less here’s a couple adjustments just to get you started.
vi /usr/local/etc/denyhosts.conf
Let’s edit what services we want to block when repeated login attempts occur.
###################################################
#
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
#
# man 5 hosts_access for details
#
# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1
#
# To block all services for the offending host:
# BLOCK_SERVICE = ALL
# To block only sshd:
# BLOCK_SERVICE = sshd
# To only record the offending host and nothing else if using
# an auxilary file to list the hosts. Refer to:
# http://denyhosts.sourceforge.net/faq.html#aux
#BLOCK_SERVICE =
#
###################################################
Now you have a few options here. Remember to remove the "#" In front of the Service you want to use.
BLOCK_SERVICE = All "Not Recomended"
BLOCK_SERVICE = sshd "Recommended"
It is also possible to block more than one service using a line like below in this example ssh and ftp is being blocked. In theory it’s possible to block everything that you can parse through a TCP Wrapper.
BLOCK_SERVICE = sshd,ftpd
Next we want to set the threshold on when to apply the above action.
You need to modify the following lines to suit your needs or just stick with the default settings.
DENY_THRESHOLD_INVALID
DENY_THRESHOLD_VALID
DENY_THRESHOLD_ROOT
DENY_THRESHOLD_RESTRICTED
In order not to log yourself out which is a real pain in the backside especially when your server is located like 100 miles away. You should add at least 1 IP address which you use and that should never be locked out.
touch /usr/local/share/denyhosts/data/allowed-hosts
Now just add the IP address or IP addresses that will never be blocked to the allowed-hosts file you just created. One IP Address pr. line.
Once your are done all that’s left is to start or restart Denyhosts.
sh /usr/local/etc/rc.d/denyhosts start
sh /usr/local/etc/rc.d/denyhosts restart
Now all of the above is just to get you started with a working Denyhosts installation. There’s a lot more you can configure but I suggest visiting the official Denyhosts site for a more information on how to configure Denyhosts.