One of the ways to prevent SSH violent attacks: using denyhosts tool (attachment: mistakenly sealing IP)

Time:2021-5-4

Recently, when logging in to the server, the system prompts that there were XXX failed login attempts since the last successful login

As Xiaobai, I met him for the first time. Although there was no loss, I also took this opportunity to learn how to deal with it. For the convenience of later use, make a simple record here.

SSH brute force attack

It is a kind of network attack means that tries to log on the remote login device (such as cloud server) by traversing the enumerated user names (especially some common and habitual user names) and password dictionaries, so as to steal the device permissions and obtain illegal benefits https://cloud.tencent.com/developer/article/1159622 )。

There are many ways to deal with this problem: changing SSH port, using security group to restrict incoming IP, using tools such as fail2ban and denyhosts.

Here I only describe the process of using denyhosts tool.

Introduction to dneyhosts

Denyhosts is a python script run by the Linux system administrator to prevent ssh server attacks http://denyhosts.sourceforge.net/ )。

In the server security log (CentOS / var / log / secure; Ubutun / var / log / auth. Log), you can view the records of accessing the server. When we are visited by unknown IP for many times, we can add the allowed IP to the system white list (/ etc / hosts. Allow) or the forbidden IP to the black list (/ etc / hosts. Deny) to restrict the access to the server’s IP; However, attackers usually access the server through different IP addresses, which causes great trouble to prevent attacks. Dneyhosts is a script program that can automatically view and analyze the security log and add the IP that meets the set prohibition conditions to / etc / hosts.deny.

Dneyhosts manual installation (based on centos7 system)

1、 Download denyhosts source code

wget http://github.com/denyhosts/denyhosts/archive/v2.10.tar.gz
tar -zxvf v2.10.tar.gz

2、 Install denyhosts

cd denyhosts-2.10
Note: since denyhosts is based on python2, if you also install python3, please pay attention to the running environment of Python

3、 Modify configuration

 After installation, it will be generated in the / usr / bin filedaemon-control-dist andDenyhosts.py, and / etc / denyhosts.conf configuration file is generated by default.

VIM / etc / denyhosts.conf # modify configuration file

Revised content:

########################################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file command line
# argument
#The log file names of different systems are different
# Redhat or Fedora Core:  
SECURE_ Log = / var / log / secure # modify the log file path to fit the current system (centos7)
#
# Mandrake, FreeBSD or OpenBSD:
#SECURE_LOG = /var/log/auth.log
#
# SuSE or Gentoo:
#SECURE_LOG = /var/log/messages
#
# Mac OS X (v10.4 or greater -
#   also refer to:   http://www.denyhost.net/faq.html#macos
#SECURE_LOG = /private/var/log/asl.log
#
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
#
# Debian and Ubuntu
#SECURE_LOG = /var/log/auth.log
########################################################################
######################################################################
#
# LOCK_FILE
#
# LOCK_FILE=/path/denyhosts
# If this file exists when DenyHosts is run, then DenyHosts will exit
# immediately.  Otherwise, this file will be created upon invocation
# and deleted upon exit.  This ensures that only one instance is
# running at a time.
#There are differences between different systems
# Redhat/Fedora:
LOCK_ File = / var / lock / subsys / denyhosts # prevent denyhosts from running many times, modify the file path to fit the current system (centos7)
#
# Debian or Gentoo
#LOCK_FILE = /run/denyhosts.pid
#
# Misc
#LOCK_FILE = /tmp/denyhosts.lock
#
######################################################################
# format is: i[dhwmy]
# Where i is an integer (eg. 7)
# m = minutes
# h = hours
# d = days
# w = weeks
# y = years
#
# never purge:
PURGE_ Deny = # how long will it take to clear blocked IP
HOSTS_ Deny = / etc / hosts. Deny # will prevent IP from writing to hosts. Deny
BLOCK_ Service = sshd # block service name
PURGE_ Threshold = # defines how many times an IP can be unsealed at most. An IP brute force cracking SSH password is blocked / unsealed, reaching purge_ The second time, it will be banned forever;
DENY_ THRESHOLD_ Invalid = 1 # the number of times invalid users are allowed to fail to log in
DENY_ THRESHOLD_ Valid = 10 # number of login failures allowed for ordinary users
DENY_ THRESHOLD_ Root = 5 # number of root login failures allowed
WORK_ Dir = / var / lib / denyhosts # record the host or IP of deny to work_ In dir
DENY_ THRESHOLD_ Restricted = 1 # set deny host to write to the folder
LOCK_ File = / var / lock / subsys / denyhosts # record the PID started by denyhots to lock_ In file, it is ensured that the service starts correctly to prevent multiple services from starting at the same time.
HOSTNAME_ Lookup = no # do you want to reverse the domain name
ADMIN_ Email = # set administrator email address
DAEMON_ Log = / var / log / denyhosts # denyhosts log location

Modify the configuration according to your own needs

4、 Set up the startup program of denyhosts service

 Put the running main program under / etc / init.d/ and change it to denyhosts

cp /usr/bin/daemon-control-dist /etc/init.d/denyhosts
VIM / etc / init. D / denyhosts # modify the file to match the denyhosts configuration file

 The amendments are as follows:

###############################################
#### Edit these to suit your configuration ####
###############################################

DENYHOSTS_ Bin = "/ usr / bin / denyhosts. Py" # the path to generate denyhosts. Py during installation
DENYHOSTS_ Lock = "/ var / lock / subsys / denyhosts" # / etc / denyhosts.conf configuration file lock_ File specifies the path
DENYHOSTS_CFG   = "/etc/denyhosts.conf"

PYTHON_BIN      = "/usr/bin/env python"

###############################################
####         Do not edit below             ####
###############################################

At this point, the installation of the denyhosts tool is complete.

Suggestion: before starting the denyhosts service, first understand the possible problems after starting (mistakenly sealing the commonly used IP, see below for details).

 5、 Start the denyhosts service

Start command

/etc/init.d/denyhosts start

perhaps

service denyhosts start
Service tdenyhosts status # to check whether the denyhosts service is running (display "denyhosts is running with PID = XXXX" to indicate that the startup is successful)

chkconfig mysqld on

chkconfig --add denyhosts
chkconfig denyhosts on

(content reference: https://www.iteait.com/archives/659 )

The problem of mistakenly sealing common IP

Before starting the service, we often ignore a problem. After starting denyhosts, we will traverse the security log file / var / log / secure (CentOS system)All IP records in the system will be recorded as long as they meet the configuration conditions. Therefore, your commonly used IP may also be added to the system IP blacklist (/ etc / hosts. Deny), resulting in that you can’t log in to the server.

terms of settlement:

Before startup:

Delete the line of your commonly used IP from the security log file. For the command to delete the specified line of the file, please query by yourself (SED command, sed – I – E ‘/ string / D’ file name, for reference only)

After startup (unable to login to the server through SSH)

First, you need to change the network login server,

Next, view and delete the record file of the blocked IP

VIM / var / log / secure # security log file
VIM / etc / hosts.deny # the system forbids IP files
cd /var/lib/denyhosts
vim hosts
vim hosts-root
vim hosts-restricted
vim hosts-valid
vim users-invalid
vim users-hosts
#The default work directory in the configuration file_ DIR = /var/lib/denyhosts)
#Batch delete the line where the file contains the specified content, please query by yourself (SED command)

If you don’t care about other records, you can clear these files (not recommended)

If you delete these records, the system should remove the specified IP, but the IP still cannot access the server (why? why? why? Then, I look through the configuration files, record the files, and see what’s missing. I find that denyhosts has its own log file in the configuration file   DAEMON_ LOG = /var/log/denyhosts)

There is such a record in the denyhosts log:

2020-07-27 11:20:38,664 - denyhosts   : INFO     Creating new firewall rule /sbin/iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
2020-07-27 11:20:38,677 - denyhosts   : INFO     new denied hosts: ['xxx.xxx.xxx.xxx']

With a learning attitude, I got to know iptables( https://wangchujiang.com/linux-command/c/iptables.html )Denyhosts not only adds IP to the blacklist, but also adds firewall rules to prevent the IP packet from entering.

Therefore, in addition to deleting the IP records in the above files, the rules restricting the IP must also be deleted in the firewall

iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

Login successful!

Welcome to exchange study in the comment area, correct mistakes

Recommended Today

Large scale distributed storage system: Principle Analysis and architecture practice.pdf

Focus on “Java back end technology stack” Reply to “interview” for full interview information Distributed storage system, which stores data in multiple independent devices. Traditional network storage system uses centralized storage server to store all data. Storage server becomes the bottleneck of system performance and the focus of reliability and security, which can not meet […]