[CentOS] denyhosts

Tue Oct 2 16:43:27 UTC 2007
Mark Weaver <mdw1982 at mdw1982.com>

CentOS List wrote:
> Hi,
> 
> My denyhosts stop working. How do i check why isnt it working anymore
> for me?
> 
> Thanks
> 
[snipped log entries]

at the risk alarming you at this point I strongly recommend you run
chkrootkit on your system. If your system has been compromised then
that in and of itself warrants a system reload.

after that, if it appears that you haven't been compromised I would
suggest checking the processes controlling that part of the system;
not sure off the top of my head which systems those are - sorry
about that. I recently had an experience where my web server was
cracked via the ssh service. I was running it on port 22, however I
did have it locked down to a degree meaning I was only accepting
connections from specific IP's or subnets (local), but they still
managed to get in. After reloading the machine, an entire weekend's
worth of work because the box is specifically configured as web and
email server it was only two days and they'd dropped in another root
kit. fortunately I caught it before they were able to compromise any
of the critical systems and I was able to lock things up real good
and clean up the mess.

What I did next has taught me plenty and also contributed to kicking
my own ass for not taking these steps in the past:

1. changed the port that sshd listens on to a non-standard port. in
my case I changed it to something completely random that isn't
really used for anything else. (check the /etc/services file for
ports that aren't already assigned)

2. the second thing I did was Google locking down the ssh service.
The following web address outlines the steps necessary that I used
successfully to accomplish this. All it amounts to is disabling root
logins to ssh service and the use of passwords to authenticate to an
sshd service. I'm not using keys to authenticate and very lengthy
pass-phrases from both windows and Linux clients.

    a.
http://thinkhole.org/wp/2006/10/30/five-steps-to-a-more-secure-ssh

3. while reading through the above howto I saw what looked like just
the ticket for monitoring ssh attacks on my servers. As I read it
made more and more sense, so I went there and read some more. After
I was done reading I grabbed the package and install and configured
it. It's not hard, but it is a little tedious, but works wonderfully.

    b.
http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts

Since taking care of these things I've had no more trouble and since
installing DenyHosts I haven't had to spend anywhere the amount of
time making adjustments to my firewall either.

Deny Hosts Information:
----------------------------------
http://denyhosts.sourceforge.net/

-- 
Mark

"If you have found a very wise man, then you've found
a man that at one time was an idiot and lived long enough
to learn from his own stupidity."
==============================================
Powered by CentOS5 (RHEL5)