SSH is one of those services you need to really protect. One of the best tools I’ve found to help secure SSH is a python script called DenyHosts.

The script monitors your auth.log for login attempts against SSH and can then deny access based on a number of configurable thresholds. Installation and configuration couldn’t be easier:

DenyHosts is in the FreeBSD ports under the Security category. Just CD to that directory and install it:

#cd /usr/ports/security
#make && make install

This creates the directory “/usr/local/share/denyhosts” and dumps several files in it. For some reason it failed to copy one file for me; denyhosts.py. If this happens to you, do the following (note, you might have to change the version of your installation where I’ve marked it red):

Copy /usr/local/share/denyhosts/denyhosts.cfg-dist to denyhosts.cfg and edit it to your liking. This is where all of your thresholds are defined.

For a FreeBSD installation, you must also make the following changes to the config file:

1. Comment out the Redhat log file location
2. Uncomment the Mandrake Or Freebsd section and change it to:
   SECURE_LOG = /var/log/auth.log
3. Set the following
   HOSTS_DENY = /etc/hosts.evil

The way the script blocks access is through the hosts.allow file. By default this file permits anyone to access any service. This file is read from top to bottom and the first match is acted on.

Near the top of the file is the line that permits anyone to access anything. Comment it out:

#ALL : ALL : allow

No locate the section that states “Wrapping sshd(8) is not normally a good idea” and add the following lines:

sshd : /etc/hosts.evil : deny
sshd : ALL : allow

This will first check the /etc/hosts.evil file for any hosts to block and if there is no match there, it moves on to the next rule that allows anyone to access SSH.

If you have trusted hosts you need to be able to access SSH from regardless, simply place a line above sshd : /etc/hosts.evil : deny with the IP of the host; sshd : 192.168.1.5 : allow. This way even if someone mistypes the password from that host, the DenyHosts script will not prevent access.

Its a good idea to temporarily add the IP of your workstation if you are configuring DenyHosts through SSH. That way you don’t accidentally lock yourself out of your own machine when you run the test in the next step.

Now you’re ready to test:

If you configured email alerts you should have an email alert stating the hosts that have been added to /etc/hosts.evil. If not, check /etc/hosts.evil and if nothing is there then either you have a problem with your config or your machine isn’t frequently the target of SSH attacks (if its on the Internet and publicly accessible, it is definately getting attacked and you might have an issue with your system logging.

Once you have everything set the way you like it, you need to set up a cron job to schedule regular passes through your logs by the DenyHosts script. The frequency of you cron depends on how long you want to allow someone to bang on your SSH daemon.

To schedule 20 minute passes:

Also, if you set DenyHosts to purge entries, you also have to schedule a purge process in cron. I run it every hour:

At this point you’re done! Couple this with using SSH keys and the sshd_config changes recommended on this post and you’re on your way to a secure SSH daemon.