I recently deployed a new server to host this and my other websites. Because this is a public facing server, part of this deployment includes securing the network. To secure SSH I generally limit the users that are allowed to login to the system using AllowUsers directive, disallow root login using PermitRootLogin no and often change the listening port. In addition to all this I also usually deploy the denyhosts service, which watches for brute-force attempts and blocks connections from those IPs. With this last deployment I learned about a new (to me) feature of denyhosts called Synchronization Mode. This setting allows your denyhosts installation to send and/or receive IPs blocked in brute-force attempts. This means your denyhosts installation can benefit from the shared blocklists of other hosts. In this tutorial I’ll outline the few steps needed to enable denyhosts Synchronization Mode.
Install denyhosts:
First, if you don’t yet have denyhosts installed, it can be added by installing the denyhosts package:
sudo apt-get install denyhosts
From the denyhosts FAQ:
DenyHosts v2.0 and later introduces synchronization mode which allows DenyHosts daemons the ability to transmit denied host data to a central remote server (hosted by denyhosts.net). Additionally, DenyHosts daemons can also receive data that other DenyHosts daemons have sent to the central server.
This feature is intended to provide the ability to proactively deny ip addresses that have attacked other users of DenyHosts. That is, each DenyHosts 2.0 (or later) user can benefit from other users of Denyhosts. Similarly each DenyHosts user can benefit other DenyHosts users.
Enable denyhosts synchronization mode:
By default this option is disabled. Enable it by un-commenting the following in the config file, /etc/denyhosts.conf
:
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
Optional Settings:
Denyhosts Synchronization Mode is configurable. To only provide data to the collective toggle the SYNC_DOWNLOAD option from yes to no as seen here:
SYNC_DOWNLOAD = no
On the flip side, to only receive data you can toggle the SYNC_UPLOAD option from yes to no as seen below:
SYNC_UPLOAD = no
Restart denyhosts:
Once you’ve made these changes you’ll need to restart your denyhosts service:
service denyhosts restart
You can tail the denyhosts log to see that you are receiving updated blocklists. By default these lists are shared each hour.
Run denyhosts inside ssh enabled containers with BastilleBSD: Secure container automation.