Al tener una computadora o servidor con Linux como sistema operativo se tiene la necesidad de poder ingresar remotamente a ella, si el servidor esta en la oficina, a veces es necesario conectarnos desde la casa. Para ello existe el protocolo ssh (Secure SHell) que permite la administración remota de equipos.
Denyhosts es un script escrito en python que sirve para prevenir de ataques basados en diccionarios o llamados fuerza bruta que intentan adivinar usuarios y contraseñas de servicios, incluyendo el protocolo ssh.
Un típico ataque consta de repetidas conexiones con uno o varios usuarios y recorriendo un diccionario de caracteres que formen la contraseña:
el cual se puede revisar en el archivo de registro:
para proteger el equipo de estos ataques, primero hay que descargar Denyhost, esta en formato rpm y en tar.gz, yo en particular prefiero el tar.gz así que descargue el DenyHosts-2.6.tar.gz.
para descomprimirlo solo basta un
README:
El archivo
** Se pueden bloquear mas servicios, como el ftp, etc
*** Permite ver los eventos de denyhosts en /etc/var/denyhosts.
una vez instalado, los resultados se ven inmediatamente:
Requiere Python, para mas información http://denyhosts.sourceforge.net/
Denyhosts es un script escrito en python que sirve para prevenir de ataques basados en diccionarios o llamados fuerza bruta que intentan adivinar usuarios y contraseñas de servicios, incluyendo el protocolo ssh.
Un típico ataque consta de repetidas conexiones con uno o varios usuarios y recorriendo un diccionario de caracteres que formen la contraseña:
sshd[11081]: Failed password for invalid user dean from ::200.105.227.243 port 42704 ssh2
sshd[11084]: Invalid user unknown from ::200.105.227.243
sshd[11084]: Failed password for invalid user unknown from ::200.105.227.243 port 42772 ssh2
sshd[11086]: Invalid user securityagent from ::200.105.227.243
sshd[11086]: Failed password for invalid user securityagent from ::200.105.227.243 port 42848 ssh2
sshd[11088]: Invalid user tokend from ::200.105.227.243
sshd[11088]: Failed password for invalid user tokend from ::200.105.227.243 port 42912 ssh2
el cual se puede revisar en el archivo de registro:
Redhat or Fedora Core:
/var/log/secure
Mandrake, FreeBSD or OpenBSD:
/var/log/auth.log
SuSE:
/var/log/messages
Mac OS X (v10.4 or greater)
/private/var/log/asl.log
Mac OS X (v10.3 or earlier):
/private/var/log/system.log
para proteger el equipo de estos ataques, primero hay que descargar Denyhost, esta en formato rpm y en tar.gz, yo en particular prefiero el tar.gz así que descargue el DenyHosts-2.6.tar.gz.
para descomprimirlo solo basta un
tar xvfz DenyHosts-2.6.tar.gz ahora dentro del subdirectorio creado se encuentran los archivos para ser instalados, los scripts y los archivos de referencia basicos como un README, CHANGELOG y la Licencia de uso. Es recomendable leer el README para tener una idea de que pasos seguir para tener una instalación exitosa. Aqui no hay NEXT, NEXT, NEXT, EXITREADME:
DenyHosts is a utility developed by Phil Schwartz which aims to
thwart sshd (ssh server) brute force attacks.
Please refer to http://www.denyhosts.net/faq.html
INSTALLATION:
=============
SOURCE DISTRIBUTION
===================
If you downloaded the source distribution file (DenyHosts-#.#.#-tar.gz)
then:
$ tar zxvf DenyHosts-#.#.#-tar.gz (Where #.#.# is the version)
$ cd DenyHosts-#.#.#
as root:
# python setup.py install
This will install the DenyHosts modules into python's site-packages
directory.
BINARY DISTRIBUTION (rpm, deb, etc)
===================
It is assumed that you are familiar with installing a binary package
on your particular operating system. If you are unsure how to do
this, you may wish to install from souce instead.
ALL DISTRIBUTIONS
=================
Once you have installed DenyHosts, by default the directory
/usr/share/denyhosts will be created and a sample configuration
file will be copied into it. A sample daemon-control script will
also be copied into the /usr/share/denyhosts directory.
DenyHosts requires that a configuration file be created before
it can function. The sample configuration file denyhosts.cfg-dist
contains most of the possible settings and should be copied and
then edited as such:
# cp denyhosts.cfg-dist denyhosts.cfg
# denyhosts.cfg
(where is your preferred text editor such as emacs, vi, etc)
The sample configuration file contains informational comments that
should help you quickly configure DenyHosts. After you have
edited your configuration file, save it.
Next, if you intend to run DenyHosts in daemon mode (recommended)
copy the sample daemon-control.dist script as such:
# cp daemon-control-dist daemon-control
Edit the daemon-control file. You should only need to edit this section
near the top:
###############################################
#### Edit these to suit your configuration ####
###############################################
DENYHOSTS_BIN = "/usr/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
These defaults should be reasonable for many systems. You
should customize these settings to match your particular
system.
Once you have edited the configuration and daemon control files
make sure that the daemon control script it executable (by root).
# chown root daemon-control
# chmod 700 daemon-control
STARTING DENYHOSTS MANUALLY
===========================
Assuming you have configured DenyHosts to run as a daemon, you
can use the daemon-control script to control it:
# daemon-control start
You should refer to the daemon log (typically /var/log/denyhosts)
to ensure that DenyHosts is running successfully. If you
notice any problems you may wish to consult the FAQ at
http://www.denyhosts.net/faq.html
If you wish to run DenyHosts from cron rather than as a
daemon, please refer to the FAQ.
STARTING DENYHOSTS AUTOMATICALLY
================================
METHOD 1 (preferred)
====================
Create a symbolic link from /etc/init.d such as:
# cd /etc/init.d
# ln -s /usr/share/denyhosts/daemon-control denyhosts
If you have chkconfig installed you can then use it to
ensure that DenyHosts runs at boot time:
# chkconfig --add denyhosts
If you do not have chkconfig (or similar) installed you can either manually
create the symlinks in /etc/rc2.d, /etc/rc3.d, /etc/rc5.d but that is beyond
the scope of this document.
METHOD 2
========
Add an entry into the /etc/rc.local file:
/usr/share/denyhosts/daemon-control start
El archivo
denyhosts.cfg esta dividido en secciones:
THESE SETTINGS ARE REQUIRED:
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
# PURGE_DENY: removed HOSTS_DENY entries that are older than this time
# when DenyHosts is invoked with the --purge flag
# PURGE_THRESHOLD: defines the maximum times a host will be purged.
# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY **
# DENY_THRESHOLD_INVALID: block each host after the number of failed login
THESE SETTINGS ARE OPTIONAL
# ADMIN_EMAIL: if you would like to receive emails regarding newly
# SYSLOG_REPORT=YES|NO
# If set to yes, when denied hosts are recorded the report data
# will be sent to syslog (syslog must be present on your system) ***
** Se pueden bloquear mas servicios, como el ftp, etc
# To block all services for the offending host:
#BLOCK_SERVICE = ALL
# To block only sshd:
#BLOCK_SERVICE = sshd
*** Permite ver los eventos de denyhosts en /etc/var/denyhosts.
una vez instalado, los resultados se ven inmediatamente:
sshd[8777]: Failed password for root from ::200.93.206.154 port 59306 ssh2
sshd[8780]: Failed password for root from ::200.93.206.154 port 59355 ssh2
sshd[8782]: Failed password for root from ::200.93.206.154 port 59418 ssh2
sshd[8784]: Failed password for root from ::200.93.206.154 port 59466 ssh2
sshd[8786]: Failed password for root from ::200.93.206.154 port 59523 ssh2
denyhosts: Added the following hosts to /etc/hosts.deny - 200.93.206.154 (mail.corporacionquezada.com)
denyhosts: Added the following hosts to /etc/hosts.deny - 211.139.113.133 (unknown)
denyhosts: Added the following hosts to /etc/hosts.deny - 63.95.247.12 (ptp.012.kcl.net)
denyhosts: Added the following hosts to /etc/hosts.deny - 203.172.175.98 (unknown)
denyhosts: Added the following hosts to /etc/hosts.deny - 200.69.223.46 (customer.iplannetworks.net)
denyhosts: Added the following hosts to /etc/hosts.deny - 190.144.35.210 (unknown)
denyhosts: Added the following hosts to /etc/hosts.deny - 61.191.54.17 (unknown)
denyhosts: Added the following hosts to /etc/hosts.deny - 200.61.42.46 (200.61.42.46.static.techtelnet.net)
denyhosts: Added the following hosts to /etc/hosts.deny - 147.251.3.196 (perian17.ics.muni.cz)
denyhosts: Added the following hosts to /etc/hosts.deny - 202.10.69.104 (unknown)
denyhosts: Added the following hosts to /etc/hosts.deny - 201.234.204.210 (investamar.com.ec)
denyhosts: Added the following hosts to /etc/hosts.deny - 62.115.65.34 (62-115-65-34.customer.teliacarrier.com)
denyhosts: Added the following hosts to /etc/hosts.deny - 116.38.112.245 (unknown)
denyhosts: Added the following hosts to /etc/hosts.deny - 222.156.220.25 (unknown)
denyhosts: Added the following hosts to /etc/hosts.deny - 62.193.238.62 (wpc2053.host7x24.com)
denyhosts: Added the following hosts to /etc/hosts.deny - 193.4.146.254 (unknown)
denyhosts: Added the following hosts to /etc/hosts.deny - 61.145.247.188 (unknown)
Requiere Python, para mas información http://denyhosts.sourceforge.net/
Comentarios
He instalado DenyHosts y funciona excelente, solo hay que configurarle un par de cosas nada complicadas y por el contrario, ayuda bastante tener un demonio guardian para bloquear ataques.
Saludos Sr Geek