By : Kabayan Pertamanya sech masih semanget 45 buat audit semua log, Apalagi auth.log biar keliatan kerjanya sibuk gitu. Tapi lama2 mumet ju...
By : Kabayan
Pertamanya sech masih semanget 45 buat audit semua log, Apalagi auth.log biar keliatan kerjanya sibuk gitu. Tapi lama2 mumet juga baca2 log. Terus gondok juga pas nyalain monitor gateway isinya attemp login bla... bla... bla... Akhirnya, sama temen dikasih aplikasi yang pake perl, karena mintanya buat linux, hehehehe. Iseng-iseng nge-list port security, ketemu dach aplikasi ini.
Denyhosts apaan sech? menurut deskripsi di /usr/port/security/denyhosts/pkg-desc:
DenyHosts is a script intended to be run by *nix system administrators to help thwart ssh server attacks.
If you've ever looked at your ssh log (/var/log/auth.log ) you may be alarmed to see how many hackers attempted to gain access to your server. Denyhosts helps you:
- Parses /var/log/auth.log to find all login attempts
- Can be run from the command line, cron or as a daemon (new in 0.9)
- Records all failed login attempts for the user and offending host
- For each host that exceeds a threshold count, records the evil host
- Keeps track of each non-existent user (eg. sdada) when a login attempt failed.
- Keeps track of each existing user (eg. root) when a login attempt failed.
- Keeps track of each offending host (hosts can be purged )
- Keeps track of suspicious logins
- Keeps track of the file offset, so that you can reparse the same file
- When the log file is rotated, the script will detect it
- Appends /etc/hosts.allow
- Optionally sends an email of newly banned hosts and suspicious logins.
- Resolves IP addresses to hostnames, if you want
Translate sendiri yach, saya di sini cuma mau share installasi dan configurasinya doank.
1. Biasalah, masuk ke /usr/port/security/denyhosts
# cd /usr/port/security/denyhosts
# make install clean
# make install clean
Mari kita baca kho ping ho sambil nunggu installasi selesai.
2. Seting denyhosts.conf nya sayah mah seperti ini:
# ee /usr/local/etc/denyhosts.conf
log file yang dibaca sama aplikasi
SECURE_LOG = /var/log/auth.log
Daftar host yang udah kena deny
HOSTS_DENY = /etc/hosts.denied
# Ngelepas blok secara otomatis
PURGE_DENY = 5d # artinya 5 hari kemudian tu ip baru dilepas blokannya.
# Yang ini saya bingung translatenya. Pokonya gitu dech
PURGE_THRESHOLD = 0
# Definsi service apaan aja yg di blok. Daripada pusing, semua aja di blok dach.
BLOCK_SERVICE = ALL
# Berapa kali tu IP salah masukin login name.
DENY_THRESHOLD_INVALID = 5
# Kalo udah 10X masukin loginname yang sama, otomatis tu login ga di banned, kecuali buat root.
DENY_THRESHOLD_VALID = 10
# spesial login root nech. Sekali salah masukin login root. langsung BANNED! Enak tenan.
DENY_THRESHOLD_ROOT = 1
# Buat ngumpulin username yang bakalan otomatis kena BANNED.
DENY_THRESHOLD_RESTRICTED = 1
# Buat nyimpen data2 aplikasi denyhosts.
WORK_DIR = /usr/local/etc/denyhosts/data
# Artiin sendiri dah
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
# Masa ga ngerti sech
LOCK_FILE = /var/run/denyhosts.pid
log file yang dibaca sama aplikasi
SECURE_LOG = /var/log/auth.log
Daftar host yang udah kena deny
HOSTS_DENY = /etc/hosts.denied
# Ngelepas blok secara otomatis
PURGE_DENY = 5d # artinya 5 hari kemudian tu ip baru dilepas blokannya.
# Yang ini saya bingung translatenya. Pokonya gitu dech
PURGE_THRESHOLD = 0
# Definsi service apaan aja yg di blok. Daripada pusing, semua aja di blok dach.
BLOCK_SERVICE = ALL
# Berapa kali tu IP salah masukin login name.
DENY_THRESHOLD_INVALID = 5
# Kalo udah 10X masukin loginname yang sama, otomatis tu login ga di banned, kecuali buat root.
DENY_THRESHOLD_VALID = 10
# spesial login root nech. Sekali salah masukin login root. langsung BANNED! Enak tenan.
DENY_THRESHOLD_ROOT = 1
# Buat ngumpulin username yang bakalan otomatis kena BANNED.
DENY_THRESHOLD_RESTRICTED = 1
# Buat nyimpen data2 aplikasi denyhosts.
WORK_DIR = /usr/local/etc/denyhosts/data
# Artiin sendiri dah
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
# Masa ga ngerti sech
LOCK_FILE = /var/run/denyhosts.pid
Nach, itulah configurasi yang katanya penting. Konfigurasi yang lainnya katanya cuma additional.
3. Marilah kita jalankan.
# /user/local/etc/denyhost forcestart
4. check dulu dah jalan apa ga.
# ps ax |grep denyhosts
6589 ?? I 1:28.48 /usr/local/bin/python2.5 /usr/local/bin/denyhosts.py
--config /usr/local/etc/denyhosts.conf --daemon
6589 ?? I 1:28.48 /usr/local/bin/python2.5 /usr/local/bin/denyhosts.py
--config /usr/local/etc/denyhosts.conf --daemon
5. Dah jalan nech. tinggal taro di startup
# ee /etc/rc.conf
denyhosts_enable=YES
denyhosts_enable=YES
6. Mari kita tidur... biarkan skrip jalanin fungsinya, ga perlu lagi ngurut2in auth.log
COMMENTS