In order to protect brute force attacks on FreeBSD you might use denyhosts.
It’s easy and light to configure than fail2ban or blockhosts for which I’ve blogged earlier.
Denyhosts is using /etc/hosts.allow to add it’s failed logins filtering, and fortunately you won’t need to do any changes to your firewall.
To install denyhosts quickly on FreeBSD you need to follow the below steps literally:
1. Install Denyhosts using pkg_add or ports
freebsd# cd /usr/ports/security/denyhostsfreebsd# make && make install clean
You will have to follow the installation steps provided after the denyhosts install is completed.I post them here for clarity:
---------------------------------------------------------
To run denyhosts from startup, add denyhosts_enable="YES"
in your /etc/rc.conf.
Configiration options can be found in %%PREFIX%%/etc/denyhosts.conf
------------------------------------------------------------
In order to proper working of denyhosts
1. edit your /etc/hosts.allow file and add:
sshd : /etc/hosts.deniedssh : deny
sshd : ALL : allow
2. issue the following command if /etc/hosts.deniedssh does not exist yet
touch /etc/hosts.deniedssh
------------------------------------------------------------
Warning:
syslogd should ideally be run with the -c option; this will ensure that
denyhosts notices multiple repeated login attempts.
To do this, add syslogd_flags=”-c” to /etc/rc.conf
—————————————————————-
Having the above instructions in mind to finalize the installation, you will have to issue.
freebsd# echo 'denyhosts_enable="YES"' >> /etc/rc.conf
freebsd# echo 'syslogd_flags="-c"' >> /etc/rc.conf
Furthermore edit /usr/local/etc/denyhosts.conf and make sure in it you edit the variables HOSTS_DENY and BLOCK_SERVICE :
The two variables should be set to the values like the shown below:
HOSTS_DENY = /etc/hosts.evil
BLOCK_SERVICE =
Thereafter edit /etc/hosts.allow and include the directives:
sshd: /etc/hosts.evil: deny
sshd: ALL : allow
This should have completed denyhosts configuration, and we need to further create the /etc/hosts.evil file.
freebsd# touch /etc/hosts.evil
All necessary left is to, Launch the denyhosts service python init script and restart the syslogd.
Next after denyhosts will start blocking up incorrect SSH logins
– So let’s restart syslog and start denyhosts
freebsd# /etc/rc.d/syslogd restart
freebsd# /usr/local/etc/rc.d/denyhosts start
Now script kiddies would have some hard time breaking in to your server guessing your user password with a large words dictinary, if they try to break they will be soon filtered by the hosts.deny rules added by denyhosts.
It’s important to say as you can also see from the denyhosts.conf file that denyhosts readds new ips to the file with ips to include in hosts.deny every 30 seconds.
Cheers now! 🙂
