Install DenyHosts within a FreeNAS Jail

[Yatti420]

Hi everybody,

I completed taking a look at DenyHosts and thought this would be useful for anybody running SSH over the internet especially with only password protection enabled.. If you take a look at

Code:

cat /var/log/auth.log

on your FN box you will probably see quite a few hosts hammering your server throughout the day.. I wanted a way to automatically filter these hosts and potentially other bad hosts and went looking for a suitable application.. DenyHosts is perfect for giving SSH that little bit of extra edge while providing extra peace of mind.. The install is as follows.. This thread originated from my original discussion here and applies to FN 9.1.1..

1. Create a jail applicable for non-pbi software from the WebGUI. An ip shouldn't be required for this setup (unless synch bad hosts required).. Ensure jail startup is automatic..
2. Still within the GUI create a mount storage point for the jail .. /var/log/ (freenas usb) >>> /var/newlogmount (new denyhosts jail - see image below) ** See Corection Here..

3. Using putty(recommended) or the WebGUI shell enter/access into the jail..

4. Review installing non-pbi software. Within the Jail - Install DenyHosts via Freshports with the pkg install command.

Code:

pkg install denyhosts

The following directories are applicable to DenyHosts within the jail..
CONFIG = /usr/local/etc/denyhosts.conf *
WORK_DIR = /usr/local/share/denyhosts/data *
PY SCRIPT =/usr/local/bin/denyhosts.py
RC Jail = /usr/local/etc/rc.d/denyhosts (start/stop/restart/status..)
Hosts.Evil = /etc/hosts.evil*

5.From within the newly crated jail - access the DenyHosts configuration and uncomment the appropriate lines for FreeBSD.. You may have to comment-out the linux specific lines..
SECURE LOG

HOSTS_DENY: the file which contains restricted host access information
HOSTS_DENY = /etc/hosts.evil

** output to new file (hosts.evil) instead of hosts.allow for freebsd and/or linux setup equivalent ..

BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY
# To block only sshd:
BLOCK_SERVICE = sshd

LOCK_FILE
# Debian (and FreeBSD)
LOCK_FILE = /var/run/denyhosts.pid

RESET_ON_SUCCESS: If this parameter is set to "yes" then the failed count for the respective ip address will be reset to 0 if the login is successful.
RESET_ON_SUCCESS = yes

I recommend leaving everything else as default currently..

6. Exit the jail using "exit" command. Within base freenas install edit /etc/hosts.allow with the following to instruct ssd to check the hosts.evil file before allowing all other connections.. Find the ALL : ALL : allow (Note full path) and place your deny instruction above.. See below..

Code:

sshd : /mnt/NEWSTORE1/denyhostsjail/etc/hosts.evil : deny
ALL : ALL : allow

Save the new hosts.allow and restart SSH..

7. For a test.. Launch DenyHosts daemon manually within the jail created previously.

Code:

/usr/local/etc/rc.d/denyhosts onestart

8. Verify operations by watching the following logs..

Code:

tail -f /var/log/auth.log
tail -f /var/log/denyhosts

9. When satisfied everything is operational edit rc.conf setup to automatically launch daemon on start-up of jail..

Code:

denyhosts_enable="YES"

10. Exit the jail and mount your freenas USB for config editing..

Code:

mount -uw /

Repeat step #5 - edit /conf/base/etc/hosts.allow to make changes persistent across reboots.. Becareful what you do with USB mounted.. You can brick your system.. This will allow your instruction to check hosts.evil to be re-applied at startup..



11. Verify operations by watching the following logs..

Code:

tail -f /var/log/auth.log
tail -f /var/log/denyhosts

11A. I recommend you add a allowed-hosts file to the work directory in order for your local addresses and domains to not be blocked/counted and eventually filtered if you have fat fingers etc.. From within the jail perform the following..

Code:

cd /usr/local/share/denyhosts/data
touch allowed-hosts
ee allowed-hosts

Uncomment the appropriate lines and edit as applicable.. Or append your entries to the bottom of the allowed-hosts file..

Code:

#Allowed Hosts Template
# the following line prevents DenyHosts from blocking IP address 1.1.1.1
#1.1.1.1
#
# The following lines prevent IP addresses 1.1.1.2 and 1.1.1.3 from being blocked
#1.1.1.2
#1.1.1.3
#
# The first 3 parts of the IP address must be provided (eg. 1.2.3.)
# The last part of the IP address can be a wildcard.
# The wildcard can be given with an asterisk -or- as a range.
#
# This line prevents all IP address in the 1.1.1 network from being blocked
# 192.168.0.*
#
# This line prevents IP addresses in the range 1.1.1.6 to 1.1.1.23 from being blocked
# 1.1.1.[6-23]
# the following line prevents DenyHosts from blocking the host foo
#foo
#bar

12. OPTIONAL: Enable synch mode (up/down) and/or purging for known bad hosts & added protection/flexibility..

Note:If you block an ip you didn't intend to via testing shutdown DenyHosts and ssh..First use the WebGUI (or any previously opened/connected putty window) to remove the entry from hosts.evil.. When completed restart ssh / DenyHosts.. You can now start putty then access the work directory and remove the entries from the following files.. If you don't do this when you login again you may be re-added to the hosts.evil as you exceeded thresholds in the past..

Code:

-rw-r--r--  1 root  wheel    165 Oct 27 21:53 hosts
-rw-r--r--  1 root  wheel    327 Oct 27 21:53 hosts-restricted
-rw-r--r--  1 root  wheel    166 Oct 27 21:53 hosts-root
-rw-r--r--  1 root  wheel    164 Oct 27 21:53 hosts-valid
-rw-r--r--  1 root  wheel      0 Oct 27 21:53 suspicious-logins
-rw-r--r--  1 root  wheel    146 Oct 27 21:53 users-hosts
-rw-r--r--  1 root  wheel    1435 Oct 27 21:53 users-invalid
-rw-r--r--  1 root  wheel      65 Oct 27 21:53 users-valid

Edit: My security logs don't look they are being targeted brute forced anymore.. Works great :)

 

[Dusan]

1. Create a jail applicable for non-pbi software from the WebGUI. An ip shouldn't be required for this setup.. Ensure jail startup is automatic..
2. Still within the GUI create a mount storage point for the jail .. /var/log/ (freenas usb) >>> /var/log (new denyhosts jail - see image below)

I don't think this is a good idea. There is a syslogd running inside the jail that is configured to use /var/log. By mounting the FreeNAS /var/log over the jail /var/log you have two syslogds (the FreeNAS one and the jail one) trying to write into the same set of files.

 

[cyberjock]

I don't think this is a good idea. There is a syslogd running inside the jail that is configured to use /var/log. By mounting the FreeNAS /var/log over the jail /var/log you have two syslogds (the FreeNAS one and the jail one) trying to write into the same set of files.

I agree.

 

[Yatti420]

I knew this would be a point of contention.. I will re-do the setup shortly changing that directory.. It still works and doesn't appear to be consequences for now.. If the syslog in the jail did write into host var log it would overwrite I assume? I didn't think jail software etc could talk to the host system.. This may be a bigger issue if the logs cycle (can't recreate proper log in proper location?).. I do notice a log appearing on host /var/log/denyhosts - If its magically being written on the USB I can see this becoming a problem with space remaining.. I realize syslog runs in jails is it really required?

 

[Dusan]

I didn't think jail software etc could talk to the host system..

The only limit to what a jailed process can do in a mounted storage point are the file system permissions (e.g. if the process runs as root, it can do anything). This is how most people run Transmission. Transmission runs in a jail, but the downloaded files are saved "outside" the jail.

If its magically being written on the USB I can see this becoming a problem with space remaining..

You mounted the host's /var/log in the jail, so whatever you do in the jail also appears outside the jail -- it's the same "physical" location accessed by both the host and the jail. Also, that's not USB, /var is a 150MB ramdisk (/dev/md2).

I realize syslog runs in jails is it really required?

It's not 100% necessary, but if you stop it you lose any logging in the jail.

 

[Yatti420]

Ok.. I am going to amend the writeup to change the mount point to a new directory as is good practice.. For simplicity and correct operation this advice should be respected.. Step #2 would be amended to something like /var/log/ (freenas usb) >>> /newlogs/ or /var/newlogs/ etc..

All my logs are successfully captured and seperated oddly.. I send them all to a new jail setup to capture syslog reports using minirsyslogd..I do notice all the files in /var/log/ like its now a "single" mount point..

Edit varlogmnt folder created in root directory of jail and mounted per step 2.. This should resolve any issues..

Code:

###########################################################
#
# SECURE_LOG: the log file that contains sshd logging info
# if you are not sure, grep "sshd:" /var/log/*
#
# The file to process can be overridden with the --file com
# argument
#
# Redhat or Fedora Core:
#SECURE_LOG = /var/log/secure
#
# Mandrake, FreeBSD or OpenBSD:
SECURE_LOG = /varlogmnt/auth.log
#
# SuSE:
#SECURE_LOG = /var/log/messages
#
# Mac OS X (v10.4 or greater -
#  also refer to:  http://www.denyhosts.net/faq.html#maco
#SECURE_LOG = /private/var/log/asl.log
#
# Mac OS X (v10.3 or earlier):
#SECURE_LOG=/private/var/log/system.log
#
###########################################################

 

[RoboKaren]

p.s. Note that every time you upgrade the Freenas base system, the /base/conf/etc/hosts.allow gets nuked (restored) and so you have to go in and reedit. I was wondering why my box was suddenly getting a ton of hacking attempts....

 

[cyberjock]

Well, considering that the developer's have been pretty open about letting the world know that using FreeNAS in any situation where it is open to the internet is nothing short of stupid.... yeah.

 

[RoboKaren]

I hardly consider having one sshd port open to the world through my firewall stupid (it's the only open port I have). In any case, denyhosts is one of those things that increases protection, rather than decreasing it.

 

[cyberjock]

I hardly consider having one sshd port open to the world through my firewall stupid (it's the only open port I have). In any case, denyhosts is one of those things that increases protection, rather than decreasing it.

You're failing to recognize the fact that the packets coming in, before they are blocked by denyhost, are processed by the OS....

Good luck sir! I'm sure you have many happy days ahead of you with your FreeNAS box!

 

[Yatti420]

I suggest running full keys not passwords. . It's definitely a risk just look at Heartbleed.. and cj is right.. Ita not blocked til os first sees and adds to evil list..

 

[RoboKaren]

Yes, only keys for me. In any case, I'm suppose I'm confused about having a network attached storage if you don't ... you know ... connect it to the network. I suppose I could configure my router to set up a VPN port and go through there. But I actually trust FreeBSD/FreeNAS more than I trust Asus's version of OpenVPN. There's risks in everything you do. You could just go entirely off the grid if you're truly paranoid.

k

 

[cyberjock]

Well, if you don't trust their OpenVPN implementation, you shouldn't trust them at all. Every data packet that goes through your internet goes through your router...

And if you aren't going to trust Asus, then consider something like pfsense. And if you actually consider pfsense(or one of the equivalents), well golly goshness it has it's own OpenVPN support!

So yeah.. gotta draw the line somewhere.

But there's a big difference on the paranoia scale between opening ports and trying to do things right with a VPN(even if you don't want to trust it). Networking Security 101 says don't open ports. /smh

 

[Jeroma11]

This is very usefully for me :)

 

[Tsaukpaetra]

So interesting thing I learned about this is that apparently my router must be hacked, since I keep getting login attempts from the gateway IP (192.168.1.1).

No idea how this is getting spoofed like so, but since they're obviously not getting much farther I'm not too worried.

Curious, is there such a way to set up ssh so that /anyone/ can login, but as a fake account that can't do anything inside the jail? I think that would really screw with their heads when their bots report a successful login and they try and find an "empty" system.

 

[Yatti420]

Hmm I'm not sure if it's actually coming from your router.. However I've never seen ssh access from that device.. I would assume you have a decent router capable of ssh access itself.. and with old firmware you could leave it vulnerable.. I'd look for firmware updates etc.. In your logs is it 192..x.x.x no matter what?As in the router is taking over all ssh requests inbound? Again doesn't seem right but who knows depending on the router.. You should have root disabled for ssh..

What is the make and model?

 

[Tsaukpaetra]

In your logs is it 192..x.x.x no matter what?As in the router is taking over all ssh requests inbound? Again doesn't seem right but who knows depending on the router.. You should have root disabled for ssh..

What is the make and model?

Oh yeah no, it's not the only one that's showing up, just the one that's weird to be there. ;)
I'm running DD-WRT for the NetGear WRT3700v2, build r24461 (Published 6-23-2014), and ssh is purposely forwarded to the server. I think it might be because whoever's attacking isn't leaving a properly formed source address?
Who knows, since ssh isn't logging anything more detailed.

 

[Yatti420]

Yea I could see that.. I'm attacked daily though and have never seen that.. Can you ssh into dd-wrt devices?

Sent from my SGH-I257M using Tapatalk 2

 

[Tsaukpaetra]

Yea I could see that.. I'm attacked daily though and have never seen that.. Can you ssh into dd-wrt devices?

Actually yes, if you enable it. Personally I only turn on SSH if something really weird is happening. Default is Telnet on the internal LAN. I also turn that off unless necessary.

 

[Yatti420]

Very odd.. Spoofed requests most likely.. Either way deny hosts should help..