A Three-Step Guide on How to Secure Your VPS even further with DenyHosts

#建站合集SysAdmin

Ubuntu 18.04 This post is. For Ubuntu 20.04, see the github page: https://github.com/denyhosts/denyhosts.

If installation fails with error messages the following lines might be useful

sudo apt-get install python3-distutils
sudo apt install python-pip
#or
sudo apt install python3-pip

And apparently more could be done besides ssh public key authentication This security measure is recommanded by Ocnys of pinkorange.red. She went for fail2ban and I denyhosts.


If you haven't secured your ssh login go and do it now. There is a tutorial on that at this yyyyy.life.

Technically that tutorial is enough, but well if checking the logfiles, they would be full of traces left by those fuckers who have nothing better to do in their lives than to release automated SSH attacks.

How annoying.

Let's head them off before they could even make it to the logs.

Step 1: Installing Denyhosts

sudo apt update
sudo apt install denyhosts

Step 2: Configure Denyhosts

sudo nano /etc/denyhosts.conf
BLOCK_SERVICE=sshd
DENY_THRESHOLD_INVALID=2
DENY_THRESHOLD_VALID=5
DENY_THRESHOLD_ROOT=1
AGE_RESET_VALID=5d
AGE_RESET_INVALID=

Click me if you want these settings explained. The following is an excerpt from: Linux Networking Cookbook by Carla Schroder, Chapter 7. Secure Remote Administration with SSH

You may use DenyHosts to protect SSH. Or all services with BLOCK_SERVICE = ALL.

BLOCK_SERVICE=sshd

Login attempts on nonexistent accounts get two chances before they are blocked. Because the accounts do not exist, blocking them won’t hurt anything.

DENY_THRESHOLD_INVALID=2

Login attempts on legitimate accounts get five chances. Adjust as needed for fatfingered users.

DENY_THRESHOLD_VALID=5

Root logins get one chance. You should log in as an unprivileged user anyway, then su or sudo if you need rootly powers.

DENY_THRESHOLD_ROOT=1

Allowed users are unblocked after 5 days, if they went all fat-fingered and got locked out.

AGE_RESET_VALID=5d

Invalid blocked users are never unblocked.

AGE_RESET_INVALID=

Step 3: Restart Denyhosts Service

sudo systemctl restart denyhosts.service
sudo systemctl enable denyhosts.service

Consult Blocked IPs and Log Events for DenyHosts

Optional: Enable Centralized Synchronization Support

sudo nano /etc/denyhosts.conf
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
sudo systemctl restart denyhosts.service