Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Install DenyHosts within a FreeNAS Jail

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE
Status
Not open for further replies.

Yatti420

Neophyte Sage
Joined
Aug 12, 2012
Messages
1,437
Hi everybody,

I completed taking a look at DenyHosts and thought this would be useful for anybody running SSH over the internet especially with only password protection enabled.. If you take a look at
Code:
cat /var/log/auth.log
on your FN box you will probably see quite a few hosts hammering your server throughout the day.. I wanted a way to automatically filter these hosts and potentially other bad hosts and went looking for a suitable application.. DenyHosts is perfect for giving SSH that little bit of extra edge while providing extra peace of mind.. The install is as follows.. This thread originated from my original discussion
here and applies to FN 9.1.1..

  1. Create a jail applicable for non-pbi software from the WebGUI. An ip shouldn't be required for this setup (unless synch bad hosts required).. Ensure jail startup is automatic..
  2. Still within the GUI create a mount storage point for the jail .. /var/log/ (freenas usb) >>> /var/newlogmount (new denyhosts jail - see image below) ** See Corection Here..
dnhosts.png


3. Using putty(recommended) or the WebGUI shell enter/access into the jail..
denyhosts3.png


4. Review installing non-pbi software. Within the Jail - Install DenyHosts via Freshports with the pkg install command.
Code:
pkg install denyhosts

denyhosts4.png



The following directories are applicable to DenyHosts within the jail..
CONFIG = /usr/local/etc/denyhosts.conf *
WORK_DIR = /usr/local/share/denyhosts/data *
PY SCRIPT =/usr/local/bin/denyhosts.py
RC Jail = /usr/local/etc/rc.d/denyhosts (start/stop/restart/status..)
Hosts.Evil = /etc/hosts.evil*

5.From within the newly crated jail - access the DenyHosts configuration and uncomment the appropriate lines for FreeBSD.. You may have to comment-out the linux specific lines..
SECURE LOG
dnhosts3.png


HOSTS_DENY: the file which contains restricted host access information
HOSTS_DENY = /etc/hosts.evil
dnhosts4.png
** output to new file (hosts.evil) instead of hosts.allow for freebsd and/or linux setup equivalent ..

BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
# To block only sshd:
BLOCK_SERVICE = sshd

LOCK_FILE
# Debian (and FreeBSD)
LOCK_FILE = /var/run/denyhosts.pid

RESET_ON_SUCCESS: If this parameter is set to "yes" then the failed count for the respective ip address will be reset to 0 if the login is successful.
RESET_ON_SUCCESS = yes

I recommend leaving everything else as default currently..

6. Exit the jail using "exit" command. Within base freenas install edit /etc/hosts.allow with the following to instruct ssd to check the hosts.evil file before allowing all other connections.. Find the ALL : ALL : allow (Note full path) and place your deny instruction above.. See below..
dnshosts2.png


Code:
sshd : /mnt/NEWSTORE1/denyhostsjail/etc/hosts.evil : deny
ALL : ALL : allow


Save the new hosts.allow and restart SSH..

7. For a test.. Launch DenyHosts daemon manually within the jail created previously.
Code:
/usr/local/etc/rc.d/denyhosts onestart


8. Verify operations by watching the following logs..
Code:
tail -f /var/log/auth.log
tail -f /var/log/denyhosts


9. When satisfied everything is operational edit rc.conf setup to automatically launch daemon on start-up of jail..
Code:
denyhosts_enable="YES"


10. Exit the jail and mount your freenas USB for config editing..
Code:
mount -uw /


Repeat step #5 - edit /conf/base/etc/hosts.allow to make changes persistent across reboots.. Becareful what you do with USB mounted.. You can brick your system.. This will allow your instruction to check hosts.evil to be re-applied at startup..
dnshosts2.png


11. Verify operations by watching the following logs..
Code:
tail -f /var/log/auth.log
tail -f /var/log/denyhosts

DenyHosts-Freenas.png

11A. I recommend you add a allowed-hosts file to the work directory in order for your local addresses and domains to not be blocked/counted and eventually filtered if you have fat fingers etc.. From within the jail perform the following..
Code:
cd /usr/local/share/denyhosts/data
touch allowed-hosts
ee allowed-hosts


Uncomment the appropriate lines and edit as applicable.. Or append your entries to the bottom of the allowed-hosts file..

Code:
#Allowed Hosts Template
# the following line prevents DenyHosts from blocking IP address 1.1.1.1
#1.1.1.1
#
# The following lines prevent IP addresses 1.1.1.2 and 1.1.1.3 from being blocked
#1.1.1.2
#1.1.1.3
#
# The first 3 parts of the IP address must be provided (eg. 1.2.3.)
# The last part of the IP address can be a wildcard.
# The wildcard can be given with an asterisk -or- as a range.
#
# This line prevents all IP address in the 1.1.1 network from being blocked
# 192.168.0.*
#
# This line prevents IP addresses in the range 1.1.1.6 to 1.1.1.23 from being blocked
# 1.1.1.[6-23]
# the following line prevents DenyHosts from blocking the host foo
#foo
#bar



12. OPTIONAL: Enable synch mode (up/down) and/or purging for known bad hosts & added protection/flexibility..


Note:If you block an ip you didn't intend to via testing shutdown DenyHosts and ssh..First use the WebGUI (or any previously opened/connected putty window) to remove the entry from hosts.evil.. When completed restart ssh / DenyHosts.. You can now start putty then access the work directory and remove the entries from the following files.. If you don't do this when you login again you may be re-added to the hosts.evil as you exceeded thresholds in the past..
Code:
-rw-r--r--  1 root  wheel    165 Oct 27 21:53 hosts
-rw-r--r--  1 root  wheel    327 Oct 27 21:53 hosts-restricted
-rw-r--r--  1 root  wheel    166 Oct 27 21:53 hosts-root
-rw-r--r--  1 root  wheel    164 Oct 27 21:53 hosts-valid
-rw-r--r--  1 root  wheel      0 Oct 27 21:53 suspicious-logins
-rw-r--r--  1 root  wheel    146 Oct 27 21:53 users-hosts
-rw-r--r--  1 root  wheel    1435 Oct 27 21:53 users-invalid
-rw-r--r--  1 root  wheel      65 Oct 27 21:53 users-valid


Edit: My security logs don't look they are being targeted brute forced anymore.. Works great :)
 
Last edited:

Dusan

Neophyte Sage
Joined
Jan 29, 2013
Messages
1,165
  1. Create a jail applicable for non-pbi software from the WebGUI. An ip shouldn't be required for this setup.. Ensure jail startup is automatic..
  2. Still within the GUI create a mount storage point for the jail .. /var/log/ (freenas usb) >>> /var/log (new denyhosts jail - see image below)
I don't think this is a good idea. There is a syslogd running inside the jail that is configured to use /var/log. By mounting the FreeNAS /var/log over the jail /var/log you have two syslogds (the FreeNAS one and the jail one) trying to write into the same set of files.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
I don't think this is a good idea. There is a syslogd running inside the jail that is configured to use /var/log. By mounting the FreeNAS /var/log over the jail /var/log you have two syslogds (the FreeNAS one and the jail one) trying to write into the same set of files.
I agree.
 

Yatti420

Neophyte Sage
Joined
Aug 12, 2012
Messages
1,437
I knew this would be a point of contention.. I will re-do the setup shortly changing that directory.. It still works and doesn't appear to be consequences for now.. If the syslog in the jail did write into host var log it would overwrite I assume? I didn't think jail software etc could talk to the host system.. This may be a bigger issue if the logs cycle (can't recreate proper log in proper location?).. I do notice a log appearing on host /var/log/denyhosts - If its magically being written on the USB I can see this becoming a problem with space remaining.. I realize syslog runs in jails is it really required?
 

Dusan

Neophyte Sage
Joined
Jan 29, 2013
Messages
1,165
I didn't think jail software etc could talk to the host system..
The only limit to what a jailed process can do in a mounted storage point are the file system permissions (e.g. if the process runs as root, it can do anything). This is how most people run Transmission. Transmission runs in a jail, but the downloaded files are saved "outside" the jail.
If its magically being written on the USB I can see this becoming a problem with space remaining..
You mounted the host's /var/log in the jail, so whatever you do in the jail also appears outside the jail -- it's the same "physical" location accessed by both the host and the jail. Also, that's not USB, /var is a 150MB ramdisk (/dev/md2).
I realize syslog runs in jails is it really required?
It's not 100% necessary, but if you stop it you lose any logging in the jail.
 

Yatti420

Neophyte Sage
Joined
Aug 12, 2012
Messages
1,437
Ok.. I am going to amend the writeup to change the mount point to a new directory as is good practice.. For simplicity and correct operation this advice should be respected.. Step #2 would be amended to something like /var/log/ (freenas usb) >>> /newlogs/ or /var/newlogs/ etc..

All my logs are successfully captured and seperated oddly.. I send them all to a new jail setup to capture syslog reports using minirsyslogd..I do notice all the files in /var/log/ like its now a "single" mount point..

Edit varlogmnt folder created in root directory of jail and mounted per step 2.. This should resolve any issues..

Code:
###########################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file com
# argument
#
# Redhat or Fedora Core:
#SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD:
SECURE_LOG = /varlogmnt/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
#
# Mac OS X (v10.4 or greater -
#  also refer to:  http://www.denyhosts.net/faq.html#maco
#SECURE_LOG = /private/var/log/asl.log
#
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
#
###########################################################
 

RoboKaren

Member
Joined
Apr 8, 2014
Messages
130
p.s. Note that every time you upgrade the Freenas base system, the /base/conf/etc/hosts.allow gets nuked (restored) and so you have to go in and reedit. I was wondering why my box was suddenly getting a ton of hacking attempts....
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Well, considering that the developer's have been pretty open about letting the world know that using FreeNAS in any situation where it is open to the internet is nothing short of stupid.... yeah.
 

RoboKaren

Member
Joined
Apr 8, 2014
Messages
130
I hardly consider having one sshd port open to the world through my firewall stupid (it's the only open port I have). In any case, denyhosts is one of those things that increases protection, rather than decreasing it.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
I hardly consider having one sshd port open to the world through my firewall stupid (it's the only open port I have). In any case, denyhosts is one of those things that increases protection, rather than decreasing it.
You're failing to recognize the fact that the packets coming in, before they are blocked by denyhost, are processed by the OS....

Good luck sir! I'm sure you have many happy days ahead of you with your FreeNAS box!
 

Yatti420

Neophyte Sage
Joined
Aug 12, 2012
Messages
1,437
I suggest running full keys not passwords. . It's definitely a risk just look at Heartbleed.. and cj is right.. Ita not blocked til os first sees and adds to evil list..
 

RoboKaren

Member
Joined
Apr 8, 2014
Messages
130
Yes, only keys for me. In any case, I'm suppose I'm confused about having a network attached storage if you don't ... you know ... connect it to the network. I suppose I could configure my router to set up a VPN port and go through there. But I actually trust FreeBSD/FreeNAS more than I trust Asus's version of OpenVPN. There's risks in everything you do. You could just go entirely off the grid if you're truly paranoid.

k
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Well, if you don't trust their OpenVPN implementation, you shouldn't trust them at all. Every data packet that goes through your internet goes through your router...

And if you aren't going to trust Asus, then consider something like pfsense. And if you actually consider pfsense(or one of the equivalents), well golly goshness it has it's own OpenVPN support!

So yeah.. gotta draw the line somewhere.

But there's a big difference on the paranoia scale between opening ports and trying to do things right with a VPN(even if you don't want to trust it). Networking Security 101 says don't open ports. /smh
 

Tsaukpaetra

Member
Joined
Jan 7, 2014
Messages
215
So interesting thing I learned about this is that apparently my router must be hacked, since I keep getting login attempts from the gateway IP (192.168.1.1).

No idea how this is getting spoofed like so, but since they're obviously not getting much farther I'm not too worried.

Curious, is there such a way to set up ssh so that /anyone/ can login, but as a fake account that can't do anything inside the jail? I think that would really screw with their heads when their bots report a successful login and they try and find an "empty" system.
 

Yatti420

Neophyte Sage
Joined
Aug 12, 2012
Messages
1,437
Hmm I'm not sure if it's actually coming from your router.. However I've never seen ssh access from that device.. I would assume you have a decent router capable of ssh access itself.. and with old firmware you could leave it vulnerable.. I'd look for firmware updates etc.. In your logs is it 192..x.x.x no matter what?As in the router is taking over all ssh requests inbound? Again doesn't seem right but who knows depending on the router.. You should have root disabled for ssh..

What is the make and model?
 

Tsaukpaetra

Member
Joined
Jan 7, 2014
Messages
215
In your logs is it 192..x.x.x no matter what?As in the router is taking over all ssh requests inbound? Again doesn't seem right but who knows depending on the router.. You should have root disabled for ssh..

What is the make and model?
Oh yeah no, it's not the only one that's showing up, just the one that's weird to be there. ;)
I'm running DD-WRT for the NetGear WRT3700v2, build r24461 (Published 6-23-2014), and ssh is purposely forwarded to the server. I think it might be because whoever's attacking isn't leaving a properly formed source address?
Who knows, since ssh isn't logging anything more detailed.
 

Yatti420

Neophyte Sage
Joined
Aug 12, 2012
Messages
1,437
Yea I could see that.. I'm attacked daily though and have never seen that.. Can you ssh into dd-wrt devices?

Sent from my SGH-I257M using Tapatalk 2
 

Tsaukpaetra

Member
Joined
Jan 7, 2014
Messages
215
Yea I could see that.. I'm attacked daily though and have never seen that.. Can you ssh into dd-wrt devices?
Actually yes, if you enable it. Personally I only turn on SSH if something really weird is happening. Default is Telnet on the internal LAN. I also turn that off unless necessary.
 

Yatti420

Neophyte Sage
Joined
Aug 12, 2012
Messages
1,437
Very odd.. Spoofed requests most likely.. Either way deny hosts should help..
 
Status
Not open for further replies.
Top