Site icon Learning & Doing

Block SSH Server Attacks (Brute Force Attacks) dengan DenyHosts di RHEL

denyhost

Kali ini saya akan membahas cara Block SSH Server Attacks (Brute Force Attacks) dengan DenyHosts di RHEL

Pengertian

Denyhost adalah aplikasi anti penyusup yang berbasis catatan log untuk mendeteksi adanya anomali yang janggal ketika ssh diakses. Semakin sering login ke SSH gagal, maka akan semakin berpotensi untuk ditolak atau di blok akses dari IP tersebut. Denyhosts dibuat oleh Phil Schwartz yang sampai saat ini berstatus kode terbuka (Opensource). Denyhosts tersedia untuk berbagai varian unix, linux, RHEL, dan Mac.

Install Denyhosts di Centos, RHEL, dan Fedora

# yum --enablerepo=epel install denyhosts
atau
# yum install denyhosts

Configurasi DenyHosts untuk Whitelist IP Addresses

nano /etc/hosts.allow
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 172.3.25.4
sshd: 172.3.25.5
sshd: 172.3.25.6

Configurasi DenyHosts untuk Email Alerts

nano /etc/denyhosts.conf
############ DENYHOSTS REQUIRED SETTINGS ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts

############ DENYHOSTS OPTIONAL SETTINGS ############
ADMIN_EMAIL = ravisaive@tecmint.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <admin@hendro-wibiksono.web.id>
SMTP_SUBJECT = DenyHosts Daily Report

############ DENYHOSTS OPTIONAL SETTINGS ############
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

Start DenyHosts Service

# systemctl enable denyhosts
# systemctl start denyhosts

Lihat DenyHosts Logs

# tail -f /var/log/secure

Cara remove IP yang di banned

edit file berikut :

# vi /etc/hosts.deny
# vi /var/lib/denyhosts/hosts
# vi /var/lib/denyhosts/hosts-restricted
# vi /var/lib/denyhosts/hosts-root
# vi /var/lib/denyhosts/hosts-valid
# vi /var/lib/denyhosts/users-hosts


systemctl restart denyhosts

Whitelist IP Addresses Permanently di DenyHosts

# vi /var/lib/denyhosts/allowed-hosts
Exit mobile version