denyhosts (docs: FAQ)
can be used to stop many kinds of brute-force attacks. If you're not using key-based authentication
for SSH, you'll probably want to install denyhosts, as it gives an extra layer of security, and may allow some restrictions to be
relaxed (eg. restricting login from certain IP addresses only). In addition, denyhosts can be used to simultaneously
block attacks on protocols other than SSH. denyhost's drawbacks include its Python dependency, and also its use of
TCP wrappers. However this use of TCP wrappers means that it does not need a firewall in order to operate.
NOTE: if you do not plan on exposing any ports to the public internet, you do not need to install denyhosts.
How to install:
cd /usr/ports/security/denyhosts
make install clean
if prompted for Python configuration, make changes as necessary and continue
vi /etc/rc.conf
add these lines (if the syslogd_flags setting already exists, ensure it includes the -c switch):
denyhosts_enable="YES"
syslogd_flags="-c"
save the changes and exit the editor
vi /etc/hosts.allow
comment out this line:
ALL : ALL : allow
add these lines just before the sendmail settings:
the file /etc/hosts.deniedssh will be created by touch, if it does not exist
configuration options can be found in /usr/local/etc/denyhosts.conf
check that denyhosts is running with ps -ax|grep denyhosts
logfile is /var/log/denyhosts
denied hosts will be listed in /etc/hosts.deniedssh
failed connection attempts will be logged to /var/log/auth.log with a "refused connect" message like this: "You are not welcome to use [service] from [IP]."
once denyhosts is running, if another daemon (say, mysqld) reports "refused connect" in /var/log/auth.log,
add a line to /etc/hosts.allow to permit traffic to that daemon. In the case of mysql, which will also report
"mysqld[483]: error: /etc/hosts.allow, line xx: twist option in resident process" in /var/log/auth.log, open
/etc/hosts.allow and add these lines after the SSH lines added above:
# mysql
mysqld : ALL : allow
All hosts will be then allowed to connect to mysqld. Ensure to remove any mistakenly blocked hosts from
/etc/hosts.deniedssh (denyhosts will probably have added any clients that attempted to use mysql while it was
blocked to the /etc/hosts.deniedssh file). A restart of denyhosts, mysqld or anything else is NOT required.
This example permits a single IP access to SWAT (Samba's configuration tool):