pfSense Gold Subscription

Author Topic: Finish my Denyhosts package [$20]  (Read 31613 times)

0 Members and 1 Guest are viewing this topic.

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Finish my Denyhosts package [$20]
« on: April 23, 2009, 05:11:56 am »
I have started a denyhosts package and do not have the time or knowledge right now to finish it right now.

Here are the files that I have completed, a good portion of the work is already done. One downside is that I am really off on some code and the xml GUI code is a little lazy. Hopefully this will start it.

Files: http://www.tomschaefer.org/temp/pfsense/denyhosts/

EDIT 23 Apr: Updated, and fix a typo.
« Last Edit: April 23, 2009, 08:00:59 am by tommyboy180 »
-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #1 on: April 25, 2009, 08:15:15 am »
To install denyhosts on 1.2.3 RC1 follow the below directions. Unfortunately this method does not work for 1.2.2.

Step 1: #
Code: [Select]
pkg_add -r denyhosts
      which will download ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.1-realease/Latest/denyhosts.tbz
      which will also download dependency ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.1-realease/All/python25-2.5.2_3.tbz

      Then python reports
            Note that some of the standard modules are provided as separate
            ports since they require extra dependencies:

            bsddb           databases/py-bsddb
            gdbm            databases/py-gdbm
            sqlite3         databases/py-sqlite3
            tkinter         x11-toolkits/py-tkinter

            Install them as needed.
      

      Then denyhosts prints
      
            -------------------------------------------------------------------------------
            To run denyhosts from startup, add denyhosts_enable="YES"
            in your /etc/rc.conf.
            onfigiration options can be found in /usr/local/etc/denyhosts.conf
            -------------------------------------------------------------------------------
            In order to proper working of denyhosts
            1. edit your /etc/hosts.allow file and add:
            sshd : /etc/hosts.deniedssh : deny
            sshd : ALL : allow
            2. issue the following command if /etc/hosts.deniedssh does not exist yet
            touch /etc/hosts.deniedssh
            -------------------------------------------------------------------------------
            Warning:

            syslogd should ideally be run with the -c option; this will ensure that
            denyhosts notices multiple repeated login attempts.

            To do this, add syslogd_flags="-c" to /etc/rc.conf
            -------------------------------------------------------------------------------
Step 2:
Code: [Select]
mv /usr/local/etc/rc.d/denyhosts /usr/local/etc/rc.d/denyhosts.sh      you also need to edit denyhosts.sh in /usr/local/etc/rc.d and change denyhosts_enable="NO" to denyhosts_enable="YES"
      you also need to edit denyhosts.sh in /usr/local/etc/rc.d and change 'command_interpreter="/usr/local/bin/python"' to 'command_interpreter="/usr/local/bin/python2.5"'
      
Code: [Select]
chmod 755 denyhosts.sh      
Step 3: in /usr/local/etc/denyhosts.conf and /usr/local/etc/denyhosts.conf-dist
      you also need to change "SECURE_LOG = /var/log/auth.log" to "SECURE_LOG = /var/log/system.log"
      you also need to uncomment BLOCK_SERVICE = ALL (or you can just block ssh)
      you also need to uncomment SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
      
Step 4: add "sshd : /etc/hosts.deniedssh : deny" to /etc/hosts.allow (above ALL : ALL : allow)


Notes:
log is in /var/log/denyhosts
execute
Code: [Select]
/usr/local/etc/rc.d/denyhosts.sh start  to start the service or reboot
this has been tested on 1.2.3 RC1 but I cannot get it to install on 1.2.2, I always get an error.
« Last Edit: April 25, 2009, 08:23:33 am by tommyboy180 »
-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback

Offline mcrane

  • Sr. Member
  • ****
  • Posts: 495
  • Karma: +0/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #2 on: April 26, 2009, 02:05:37 am »
I believe 1.2.2 is freebsd 7.0 while 1.2.3 is freebsd 7.1. If the denyhosts.tbz is compile for 7.1 then that may be why it fails on 7.0.

I was short on time on saturday but I will take a deeper look at the package on monday.

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #3 on: April 26, 2009, 03:55:21 am »
Yep. When I tried to get denyhosts working on 1.2.2 I used the packages-7-stable location. For some odd reason I kept getting an error that was asking for some lib file.
Anyway if you want you can check out my 1.2.2 install script and my 1.2.3 script to see what I was doing. So far I can only get it working on 1.2.3.
http://www.tomschaefer.org/temp/pfsense/denyhosts/
-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback

Offline kapara

  • Hero Member
  • *****
  • Posts: 934
  • Karma: +15/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #4 on: May 03, 2009, 07:49:58 pm »
Just out of curiosity...Does this modify a rule on the firewall..like an aliase and update it with a list of IP's or does it query a list out on the net?

Are you able to create a white list? 
Skype ID:  Marinhd

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #5 on: May 04, 2009, 09:14:51 pm »
Hello, it does not modify rules on the firewall. All hosts are checked against the /etc/hosts.deniedssh for access. By default everyone is allowed.
When the system log shows that someone attempted to access ssh or web access many times with a wrong password they are blocked.

The list of IP can be updated from a net list located on http://xmlrpc.denyhosts.net:9911 but this is optional. You can configure this in the config file.

To create a white list just add a host to the hosts.allow file in the format of "ALL : ALL : allow". For example: "sshd : 192.168.1.100 : allow" will whitelist host 100 for ssh access.
-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback

Offline mcrane

  • Sr. Member
  • ****
  • Posts: 495
  • Karma: +0/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #6 on: May 04, 2009, 09:19:52 pm »
tommyboy180: I sent a private message to you. I haven't seen a response yet.

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #7 on: June 08, 2009, 06:59:42 pm »
Bounty Still in progress.
-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback

submicron

  • Guest
Re: Finish my Denyhosts package [$20]
« Reply #8 on: June 09, 2009, 08:48:08 am »
Did you respond to mcrane's private message?  It sounded like he was interested in taking up the bounty.

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #9 on: June 11, 2009, 12:15:25 pm »
Yes I did. I even had the privilege to speak with him on the phone one morning about a month ago. Mcrane has agreed to help me build this package after he has finished some other projects.

We may see this package soon, hopfully.

-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback

Offline mcrane

  • Sr. Member
  • ****
  • Posts: 495
  • Karma: +0/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #10 on: June 11, 2009, 12:48:07 pm »
Sorry for the delay I will try to get this done soon.

Offline Vynce

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #11 on: July 26, 2009, 06:28:43 pm »
Another alternative is denyssh. It's designed for use on FreeBSD with PF. I don't think it's as well maintained or as popular as DenyHosts though.

Keep in mind that pfSense already has sshlockout_pf as well (at least in v1.2). It looks like syslog runs all of its entries through sshlockout_pf. If an entry indicates some kind of ssh login failure, the originating IP is added to the sshlockout table. There is a rule that drops everything from any addresses in the sshlockout table. Every 60 minutes, the sshlockout table is emptied by a cron rule.

Perhaps the DenyHosts package should disable the sshlockout_pf mechanism when it's installed (?).

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #12 on: July 28, 2009, 02:08:48 pm »
Denyhosts is still the way to go. Its the better choice and its already ported for FreeBSD.

I took a look at sshlockout_pf. Tested a default install of pfsense 1.2.3 July build and I was able to bruteforce ssh. Nothing locked me out, the only thing that did happen was after 5 failed attempts pfsense closed the connection but a new one could be established everytime. There is defintly a need for a denyhosts package. I am hoping the package will be created soon.
I also found this link for the people that are installing denyhosts with pkg_add
-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback

Offline ermal

  • Hero Member
  • *****
  • Posts: 3832
  • Karma: +85/-5
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #13 on: July 29, 2009, 01:02:55 pm »
Newer builds of pfSense 1.2.3+ should be ok with functional sshlockout_pf.

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Re: Finish my Denyhosts package [$20]
« Reply #14 on: July 29, 2009, 01:22:30 pm »
Yes sir. I took a look at the other day. However, it is nowhere near the functionality of Denyhosts. [EDIT I still can bruteforce my way into the latest build of 1.2.3]
The one thing that I really love about denyhosts is the option to get and send bad IPs from a central Database. If an IP is attacking you, you can opt in to send that IP to the denyhosts database so millions of other denyhosts users will block that IP with a list update. The same thing the other way around, denyhosts will download a list with IPs that attacked other people and prevent them from attacking you.

Denyhosts doesn't just protect SSH, it also monitors http and more. All auth that occurs on the box is actively monitored.
« Last Edit: July 29, 2009, 01:25:51 pm by tommyboy180 »
-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback