Guide On How To Install Denyhosts On FreeBSD

Guide On How To Install Denyhosts On FreeBSD 2017-08-04T09:43:35+00:00

A Step By Step Guide On How To Install Denyhosts On FreeBSD
Installing Denyhosts on FreeBSD is very simple and straight forward. Denyhosts can help you thwart SSH server attacks also known as dictionary / force attacks. Denyhosts is also able of blocking login attempts to other services as well.

Denyhosts is not a firewall. Don’t let yourself be lured into a false state of security here by thinking Denyhosts is the only program you need to secure your server. It is not. It’s a pretty neat program that cab help you achieve some level of access control that’s all. It’s not intended as a replacement for a real firewall. If you really want to secure your server place it behind a firewall, for optimal security pull it off the network completely. With that in mind let’s install Denyhosts.

Right as I was saying this is quite simple. If you get any questions during the installation just accept the default setting and hit “Ok”.

cd /usr/ports/security/denyhosts && make install clean BATCH=yes

Next make sure Denyhosts is starting up during boot time. Add the following 2 lines to /etc/rc.conf

syslogd_flags="-c"
denyhosts_enable="YES"

Now we need to create the file thay controls the blocked IP addresses.

touch /etc/hosts.deniedssh

And off cause we need a whitelist control file as well. The file takes the following format: One IP Address pr. line.

touch /usr/local/share/denyhosts/data/allowed-hosts

Now we need to modify the /etc/hosts.allow file to read the blocked IP addresses that Denyhosts is creating. Find the highlighted line.

# The rules here work on a "First match wins" basis.
ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you

And below that insert the following.

# The rules here work on a "First match wins" basis.
ALL : ALL : allow
sshd : /etc/hosts.deniedssh : deny
# Wrapping sshd(8) is not normally a good idea, but if you

Now we need to tweak the configuration for Denyhosts. Adjust the values to suit your needs. Adjust the following line in the configuration file located here /usr/local/etc/denyhosts.conf

# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
#BLOCK_SERVICE  = sshd

And change them to something like this.

# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE = sshd

It is also possible to block more than one service if you use a syntax like below.

# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
BLOCK_SERVICE = sshd,ftpd

More tweaking. While in the same configuration file /usr/local/etc/denyhosts.conf adjust the treshold for when denyhosts kickes in.

####################################################################### 
#
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value.  This value applies to invalid
# user login attempts (eg. non-existent user accounts)
#
DENY_THRESHOLD_INVALID = 5
# 
#######################################################################
 
#######################################################################
#
# DENY_THRESHOLD_VALID: block each host after the number of failed
# login attempts has exceeded this value.  This value applies to valid
# user login attempts (eg. user accounts that exist in /etc/passwd) except
# for the "root" user
#
DENY_THRESHOLD_VALID = 10
#             
#######################################################################

#######################################################################
#            
# DENY_THRESHOLD_ROOT: block each host after the number of failed
# login attempts has exceeded this value.  This value applies to
# "root" user login attempts only.
#            
DENY_THRESHOLD_ROOT = 1
# 
#######################################################################
 
#######################################################################
#
# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed
# login attempts has exceeded this value.  This value applies to
# usernames that appear in the WORK_DIR/restricted-usernames file only.
#
DENY_THRESHOLD_RESTRICTED = 1
#
#######################################################################

Once you are done, we can start up Denyhosts.

sh /usr/local/etc/rc.d/denyhosts start

And we are done here.

Spell checkers don’t – Grammar checkers don’t either.