Scrawls from Preston...

Powered by Pelican.

Wed 11 March 2009

setting up denyhosts to block ssh attacks on Leopard

Deny hosts is a clever python script that will monitor your ssh log file for repeated failed login attempts, and then add the offending hosts to a system blacklist. While you can disable ssh entirely, or move it to a different port, there are reason you may want to keep it available and on a standard port and this tool will help keep the bad guys out.

* download and unpack [tarball](

* su as root

* cd to the unpacked distribution folder and enter the following in terminal:

python install

touch /etc/hosts.deny

cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg

cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control

chmod 700 /usr/share/denyhosts/daemon-control

read on for configuration

**Configure Script**

These are the **MINIMAL** settings for OS X. There are lots of other good options in there including some settings about thresholds and purging, and emailing an admin when a attacker is added to the list. There is also a feature that lets you share your list of attackers with the community, as well as download the community generated blacklist. Using your favorite text editor or the built in pico change the following settings:

pico /usr/share/denyhosts/denyhosts.cfg

look for and change the following:

SECURE_LOG = /var/log/secure.log

LOCK_FILE = /tmp/denyhosts.lock

(strictly speaking - you don't need to do this next part as we will be starting the script with launchd)

pico /usr/share/denyhosts/daemon-control

look for and change the following:

DENYHOSTS_BIN = "/usr/local/bin/"

DENYHOSTS_LOCK = "/tmp/denyhosts.lock"

to test out the daemon you can execute the following:

/usr/bin/env python /usr/local/bin/ --daemon --config=/usr/share/denyhosts/denyhosts.cfg

**To launch the monitoring script automatically**

create and then edit a launchd plist

pico /Library/LaunchDaemons/denyhosts.daemon.plist

and then paste the following:










then to load the plist without logging out or restarting:

launchctl load /Library/LaunchDaemons/denyhosts.daemon.plist

try it out - try logging in as a fake user/bad pw and you should see your IP listed in "/etc/hosts.deny"

simply remove a host from that file if you want to gain access again (or see the configuration notes about purging)