Data Center Hub

I sometimes tire of the constant amateur brute force attempts to break into my machines. One of the ways to limit these attempts in FreeBSD 6.X and PC-BSD as well as other UNIX like OS machines is by using denyhosts from within tcpwrappers in inetd. denyhosts can be configured to automatically deny SSH or ALL services to a particular host which is busily banging away at an attempt to break into your machine. Naturally, good strong passwords are the best way to limit the possibility of brute force breakins. But denyhosts also has the benefit of simply cutting them off and I like that.
On PCBSD you have denyhosts already set up for use except for changing the name of the default config file. On standard FreeBSD you’ll need to add denyhosts from ports or packages (see further down). Depending on your Linux distro you may already have it. You’ll have to research that on your own and remember the file locations here are for FreeBSD.
cp /usr/local/share/denyhosts/denyhosts.cfg-dist /usr/local/share/denyhosts/denyhosts.cfg

then

vi /usr/local/share/denyhosts/denyhosts.cfg

to check the defaults. I allowed mine to fetch data from the sync server

# To enable synchronization, you must uncomment the following line:
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

then /usr/local/etc/rc.d/denyhosts.sh start

[root@PCBSD /usr/ports/lang/php5]# tail -f /var/log/auth.log
Apr 13 08:30:54 PCBSD sshd[84345]: Failed password for root from 69.15.145.108 port 55955 ssh2
Apr 13 08:30:55 PCBSD sshd[84347]: Failed password for root from 69.15.145.108 port 55986 ssh2
Apr 13 08:30:56 PCBSD sshd[84353]: Failed password for root from 69.15.145.108 port 56017 ssh2
Apr 13 08:30:57 PCBSD sshd[84355]: Failed password for root from 69.15.145.108 port 56048 ssh2
Apr 13 08:30:57 PCBSD sshd[84357]: Failed password for root from 69.15.145.108 port 56079 ssh2
Apr 13 08:30:58 PCBSD sshd[84359]: Failed password for root from 69.15.145.108 port 56110 ssh2
Apr 13 08:30:59 PCBSD sshd[84361]: Failed password for root from 69.15.145.108 port 56140 ssh2
Apr 13 08:31:00 PCBSD sshd[84367]: Failed password for root from 69.15.145.108 port 56173 ssh2
Apr 13 08:31:01 PCBSD sshd[84369]: Failed password for root from 69.15.145.108 port 56203 ssh2
Apr 13 08:31:01 PCBSD sshd[84371]: twist 69.15.145.108 to /bin/echo “Server sshd denied from 69.15.145.108″

as you can see from the logs- it stopped an attempt within seconds.

denyhosts contains the deamon log entries.

[root@PCBSD /usr/ports/lang/php5]# tail /var/log/denyhosts
2007-04-13 10:36:38,269 - denyhosts : INFO send daemon process a TERM signal to terminate cleanly
2007-04-13 10:36:38,269 - denyhosts : INFO eg. kill -TERM 92229
2007-04-13 10:36:38,272 - denyhosts : INFO monitoring log: /var/log/auth.log
2007-04-13 10:36:38,273 - denyhosts : INFO sync_time: 3600
2007-04-13 10:36:38,274 - denyhosts : INFO daemon_purge: 600
2007-04-13 10:36:38,275 - denyhosts : INFO daemon_sleep: 30
2007-04-13 10:36:38,276 - denyhosts : INFO purge_sleep_ratio: 20
2007-04-13 10:36:38,276 - denyhosts : INFO denyhosts synchronization disabled
2007-04-13 10:46:38,310 - denyfileutil: INFO purging entries older than: Fri Apr 13 10:26:38 2007
2007-04-13 10:46:38,313 - denyfileutil: INFO num entries purged: 0

this is configured by /etc/hosts.allow - make sure you have these entries:

# denyhosts
sshd : /etc/hosts.deniedssh \
: severity auth.info \
: twist /bin/echo “Server %d denied from %h”
: deny
sshd : ALL : allow

If you’re not familiar with twist, it is part of tcpwrappers. The twist directive replaces the requested
service with some other actions. You can also expand with this directive to include the daemon process (%d) and host name (%h)

See the docs at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/tcpwrappers.html
for more details.

On standard FreeBSD 6.x you should find denyhosts in /usr/ports/security/denyhosts or you may add it as a package with
pkg_add -r - you’ll still need to rename the dist config file as above.

Good luck and may your log files now be shorter.