X
    Categories: Tutorials

How to improve your Debian VPS security by using DenyHosts and Logwatch

What is DenyHosts?

It is a python script intended to be run by GNU/Linux system administrators and users to help thwart SSH server attacks which are also known as dictionary based attacks and brute force attacks. It has the ability to run as a daemon and it can automatically block attackers and prevent them from gaining access to your server.

What is LogWatch?

Logwatch is a customizable log analysis system. Logwatch parses through your system’s logs and creates a report analyzing areas that you specify and can report them by email.

– Installing and configuring DenyHosts

1. Make sure your system is always up-to-date:

apt-get update && apt-get -y upgrade

2. Install DenyHosts by executing the following command:

apt-get -y install denyhosts

once it is installed, denyhosts has to be configured. Anyhow, you can use the configuration below which is tested and works perfectly fine.

3. Backup the original configuration file and create a new one using the following command:

cp /etc/denyhosts.conf{,_ORIG} && cat > /etc/denyhosts.conf <<EOF
#xxxxxx optional options xxxxxx#
ADMIN_EMAIL = your@email.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
#xxxxxx end optional options xxxxxx#

#xxxxxx required options xxxxxx#
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY =
BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
#xxxxxx end required options xxxxxx#

#xxxxxx daemon specific options xxxxxx#
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
#xxxxxx daemon specific options xxxxxx#
EOF

You need to have a working smtp service on your server for denyhosts to be able to send you reports via email and since all our VPS Hosting Plans come with an already installed and fully working mail server if you’re our customer you do not need to worry about this.

4. With all that in place, you’re ready to start denyhosts so do it by executing:

service denyhosts restart

– Installing and running LogWatch

1. Install LogWatch using the following command:

apt-get -y install logwatch

once the installation of LogWatch is completed, proceed with

2. Setting LogWatch cron script so it can run on a daily basis. Do not forget to change ‘your@email.com’ with your actual email address.

cat > /etc/cron.daily/00logwatch <<EOF
#!/bin/bash
test -x /usr/share/logwatch/scripts/logwatch.pl || exit 0
/usr/sbin/logwatch --mailto your@email.com
EOF

3. Restart your cron service

service cron restart

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.