How to Install DenyHosts In Centos-6
wget -c http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?r=http%3A%2%2Fsourceforge.net%2Fprojects%2Fdenyhosts%2Ffiles%2Fdenyhosts%2F2.6%2F&ts=1320260346&use_mirror=sunet
tar -xzf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
cp daemon-control-dist /etc/init.d/denyhosts
cp denyhosts.cfg-dist denyhosts.cfg
mkdir /usr/share/denyhosts/data
chkconfig --add denyhosts
cp -rp denyhosts.cfg /usr/share/denyhosts/denyhosts.cfg
vi /usr/share/denyhosts/denyhosts.cfg
/etc/rc.d/init.d/denyhosts start
/etc/rc.d/init.d/denyhosts status
wget -c http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?r=http%3A%2%2Fsourceforge.net%2Fprojects%2Fdenyhosts%2Ffiles%2Fdenyhosts%2F2.6%2F&ts=1320260346&use_mirror=sunet
tar -xzf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
cp daemon-control-dist /etc/init.d/denyhosts
cp denyhosts.cfg-dist denyhosts.cfg
mkdir /usr/share/denyhosts/data
chkconfig --add denyhosts
cp -rp denyhosts.cfg /usr/share/denyhosts/denyhosts.cfg
vi /usr/share/denyhosts/denyhosts.cfg
/etc/rc.d/init.d/denyhosts start
/etc/rc.d/init.d/denyhosts status
- Configuring DenyHosts
Now that Denyhosts is up and running, we'll configure and fine-tune it. Open the settings file to proceed.
vim /usr/share/denyhosts/denyhosts.cfg
Once the file is opened, look up the following line:
#PLUGIN_DENY=/usr/bin/true
Once found, replace it with this line:
PLUGIN_DENY=/root/notify_isp.rb
This will point to a file that has not yet been made, but will bemade in your home folder. So replace /root with your home directory and your username. The file will be created lter in this tutorial.
Now look up the next lines and uncomment them:
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
#SYNC_INTERVAL = 1h
#SYNC_UPLOAD = yes
#SYNC_DOWNLOAD = yes
#SYNC_DOWNLOAD_THRESHOLD = 3 - Installing prerequisites
Now we're going to install ruby as the script that we'll becreating later is written in Ruby.
sudo apt-get install ruby -y
We'll also need whois for the script to look up IP-addresses to match e-mail addresses from their ISP.
sudo apt-get install whois -y - Creating the script
Now we're going to creat the script. I recoomend doing that in your home directory.
touch ~/notify_isp.rb
Now open the script to fill it with the following script:
[code]#! /usr/bin/ruby #Ruby DenyHosts plugin to report attacker to ISP # ####################################################################################### ####### PLEASE READ INSTRUCTIONS: http://github.com/nazar/report-hack-isp/wikis ####### ####################################################################################### require 'net/smtp' #SMTP server SMTP_SERVER = 'localhost' SMTP_PORT = 25 #EMAIL message setup EMAIL_FROM = 'ADD_YOUR_RETURN_EMAIL_HERE' ####### ADD YOUR ACTUALL EMAIL ADDRESS HERE ########## EMAIL_SUBJECT = 'Security Alert - Your Server May Have Been Hacked!' # Leave empty to not send a mail to a CC address CC = '' # Same as for the CC address, you probably only need one of these BCC = '' #LOG_FILE = SSHD's log file ###### UPDATE THIS TO YOUR ACTUAL SSHD LOG FILE LOCATION ##### LOG_FILE = '/var/log/auth.log' #misc TIME_LOCALE = 'GMT+1' EMAIL_LOG_FILE = '/var/log/notify_isp.log' ##### CHECK PERMISSIONS ON DESTINATION DIRECTORY. #guess apps... override if required GREP_BIN = `which grep`.strip CAT_BIN = `which cat`.strip WHOIS_BIN = `which whois`.strip HOST_BIN = `which host`.strip TOUCH_BIN = `which touch`.strip #check that we have all our BINs raise 'Could not find grep on your system. Manually configure GREP_BIN' if GREP_BIN == '' raise 'Could not find cat on your system. Manually configure CAT_BIN' if CAT_BIN == '' raise 'Could not find whois on your system. Manually configure WHOIS_BIN' if WHOIS_BIN == '' raise 'Could not find host on your system. Manually configure HOST_BIN' if HOST_BIN == '' raise 'Could not find touch on your system. Manually configure TOUCH_BIN' if HOST_BIN == '' ################# UTILS ######################## def time2str( tm ) # [ruby-list:7928] gmt = Time.at(tm.to_i) gmt.gmtime offset = tm.to_i - Time.local(*gmt.to_a[0,6].reverse).to_i sprintf '%s, %s %s %d %02d:%02d:%02d %+.2d%.2d', tm.strftime('%a'), tm.mday, tm.strftime('%B'), tm.year, tm.hour, tm.min, tm.sec, *(offset / 60).divmod(60) end def get_email_message(to_address, offender, evidence) to_cc = CC.length > 0 ? "\nCC: #{CC}" : '' to_bcc = BCC.length > 0 ? "\nBCC: #{BCC}" : '' email_message = <<< email unless email == nil end #if contacts includes an abuse@ address then only send it to those. tmp = result.select { |email| email[/abuse@/] } result = tmp if tmp.length > 0 result.uniq! if result.length > 1 return result.uniq end ################# MAIN ########################## #extract ip/domain from passed parameter if ARGV.length > 0 host = ARGV[0] else raise 'No ip address or host given. Exiting' end #make sure the EMAIL_LOG_FILE exists eval("`#{TOUCH_BIN} #{EMAIL_LOG_FILE}`") #extract all email contacts for given host contacts = get_contacts_for_host(host) #lookup top level domain name and extract domain contact info #if given ip then lookup to hostname if host[/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/] host_domain = eval("`#{HOST_BIN} #{host}`").strip unless host_domain =~ /not found:/ host_domain = host_domain[/.+\.(\w+\.\w+)/,1] else #no good... no revers DNS pointer host_domain = nil end else host_domain = host[/.+\.(\w+\.\w+)/,1] end if host_domain domain_contacts = get_contacts_for_host(host_domain) contacts << domain_contacts if domain_contacts.length > 0 end #filter out duplicates one last time contacts.uniq! if contacts.length > 1 raise "No email addresses were returned" unless contacts.length > 0 #extract evidence from ssh log file using the reported host as a filter evidence = eval("`#{CAT_BIN} #{LOG_FILE} | #{GREP_BIN} #{host}`").strip raise "No evidence found for #{host}. Aborting" unless evidence && (evidence.length > 0) #workaround for DenyHosts that runs the plugin evrytime an IP is added against all blacklisted IPS sent = eval("`#{CAT_BIN} #{EMAIL_LOG_FILE} | #{GREP_BIN} #{host}`").strip raise "Host #{host} has already been reported. Not reporting again." if sent && sent.length > 0 #are we CC/BCCing ourselves? contacts << CC if CC.length > 0 contacts << BCC if BCC.length > 0 #by the time we get here we have evidence against a newly reported host Net::SMTP.start(SMTP_SERVER, SMTP_PORT) do |smtp| begin #send email to each returned address contacts.flatten.each do |email| smtp.send_message get_email_message(email, host, evidence), EMAIL_FROM, email #log ip address and email my_file = File.new(EMAIL_LOG_FILE, 'a+') my_file.puts "Report generated for #{host} on #{Time.now.to_s} and sent to #{email}" end ensure smtp.finish end end [/code]
Make sure to assign the script the right permissions to make it executable.
chmod a+x notify_isp.rbNow make sure you corrected the following lines with values that apply to you.
SMTP_SERVER = 'localhost'
SMTP_PORT = 25
EMAIL_FROM = 'ADD_YOUR_RETURN_EMAIL_HERE' ####### ADD YOUR ACTUALL EMAIL ADDRESS HERE ##########
LOG_FILE = '/var/log/auth.log'
TIME_LOCALE = 'GMT+1'
EMAIL_LOG_FILE = '/var/log/notify_isp.log' ##### CHECK PERMISSIONS ON DESTINATION DIRECTORY.
Note that the LOG_FILE will probably be right here, but you might want to double check it. Also the EMAIL_LOG_FILE doesn't exist yet, so we're going to make sure it exists with the proper permissions.
- Creating the email log file
Now that we created the script, we'll need to create the log file you can look up later to check if e-mails are indeed sent to the ISP's. First, we're going to create the empty file:
sudo touch /var/log/notify_isp.log
Now make sure it's assigned the right permissions.
sudo chown root:root /var/log/notify_isp.log; sudo chmod 775 /var/log/notify_isp.log
- Restart Denyhosts
Now we need to restart DenyHosts in order to use the script and the other configurations.
sudo service denyhosts restart
