« Kitchen preparations | Main | What's a few thousand kays between friends? »

DenyHosts on Snow Leopard

Ever noticed your system log is chock full of this crap?

Jan 31 01:11:43 hostname sandboxd[18371]: sshd(18375) deny mach-per-user-lookup
Jan 31 01:11:46: --- last message repeated 8 times ---
Jan 31 01:11:46 hostname sandboxd[18371]: sshd(18377) deny mach-per-user-lookup
Jan 31 01:11:49: --- last message repeated 8 times ---
Jan 31 01:11:49 hostname sandboxd[18371]: sshd(18379) deny mach-per-user-lookup
Jan 31 01:11:52: --- last message repeated 4 times ---

Check the secure log file and you'll likely find thousands of ssh login attempts from a small number of IP addresses, trying various generic usernames.

Enter DenyHosts. It's a mature, configurable Python script that monitors your log and adds entries to /etc/hosts.deny if things look suspicious.

It's quite portable and there are various instructions for older versions of Mac OS X, but there's a couple of gotchas for Snow Leopard, Mac OS X 10.6, that don't appear to be addressed in one location anywhere else. Here's how to get DenyHosts up and running on OS X 10.6:

  1. Download the tar.gz file from the download page.
  2. Unless you're a command line purist who doesn't need to look up the tar man page every time you use, just double click the downloaded file to unpack it.
  3. Now drop into Terminal and cd to the freshly unpacked DenyHosts directory.
  4. Run the installer: sudo python setup.py install
  5. Optionally, move the installed files into local: sudo mv /usr/share/denyhosts /usr/local/share/
  6. Change to the install directory: cd /usr/local/share/denyhosts
  7. Copy the example config file: sudo cp denyhosts.cfg-dist denyhosts.cfg
  8. Edit it: sudo vi denyhosts.cfg
  9. Find and set these settings:
    • SECURE_LOG = /private/var/log/secure.log
    • WORK_DIR = /usr/local/share/denyhosts/data
    • LOCK_FILE = /var/run/denyhosts.pid
    • DAEMON_LOG = /private/var/log/denyhosts
  10. Optionally set this to allow entries older than 10 weeks to be removed: PURGE_DENY = 10w
  11. Copy the example run script: sudo cp daemon-control-dist daemon-control
  12. Edit it: sudo vi daemon-control
  13. Find and set these settings:
    • DENYHOSTS_BIN = "/Library/Frameworks/Python.framework/Versions/2.4/bin/denyhosts.py"
    • DENYHOSTS_LOCK = "/var/run/denyhosts.pid"
    • DENYHOSTS_CFG = "/usr/local/share/denyhosts/denyhosts.cfg"
    • PYTHON_BIN = "/usr/bin/env python2.4"
  14. Create the hosts.deny file in case it's not there: sudo touch /etc/hosts.deny
  15. And finally, kick off the daemon: sudo ./daemon-control start

You can monitor progress via the log at /var/log/denyhosts. You could also create a launchd service to ensure the daemon runs at boot up, but if you reboot as rarely as me, you might save yourself 10 minutes and skip it.

TrackBack

TrackBack URL for this entry:
http://heath.hrsoftworks.net/cgi-bin/mt-tracker.cgi/235

Comments

Well this seemed like a glimmer of hope after the macports version didn't seem to want to work. Alas, you're method does not work for me. I'm running Snow Leopard 10.6.2 and my OS doesn't come with python 2.4. It has 2.6 instead, and thus the /Library/Frameworks/Python.framework/Versions directory only contains 2.6. I tried adjusting the DENYHOSTS_BIN = "/Library/Frameworks/Python.framework/Versions/2.6/bin/denyhosts.py" and PYTHON_BIN = "/usr/bin/env python2.6" but that didn't work, I get the following message:

starting DenyHosts: /usr/bin/env python2.6 /Library/Frameworks/Python.framework/Versions/2.6/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

Traceback (most recent call last):

File "/Library/Frameworks/Python.framework/Versions/2.6/bin/denyhosts.py", line 5, in module

import DenyHosts.python_version

ImportError: No module named DenyHosts.python_version



Any thoughts?

Jeremy, have a look in

/Library/Frameworks/Python.framework/Versions/2.4/lib/python2.4/site-packages/

or similar for a folder called DenyHosts. Some how it looks like the bin (denyhosts.py) has been installed in Versions/2.6, but the site-packages hasn't.

Yeah well see, in my /Library/Frameworks/Python.framework/Versions/ I only have 2.6. I didn't think Snow Leopard came with 2.4.

Same problem with MacOSX Server 10.6.2. It doesn't have /Library/Frameworks/Python.framework, but /System/Library/Frameworks/Python.framework. Any solution? Thanks in advance

$ cd /Users/Shared/src/DenyHosts-2.6 #Go to your downloaded source files
$ sudo python setup.py install #Run the installer again

creating /Library/Python/2.6/site-packages/DenyHosts

$ sudo nano /usr/share/denyhosts/daemon-control
---
1. Change first line to #!/usr/bin/python
2. Change PYTHON_BIN to = "/usr/bin/python"
---Ctrl+X (to exit)
$ sudo nano /usr/local/bin/denyhosts.py
---
1. Change first line to #!/usr/bin/python
---Ctrl+X (to exit)

Now there are only these errors left:
org.sourceforge.denyhosts[3862] Error synchronizing data
org.sourceforge.denyhosts[3862] name 'info' is not defined

"port install denyhosts" worked withut a hitch except that it didn't "touch /etc/hosts.deny"
It installed python 2.7 first.

This modification of daemon-control appears to have worked (10.6.6):

# start Snow Leopard
DENYHOSTS_BIN = "/Library/Python/2.6/site-packages/DenyHosts/deny_hosts.py"
# DENYHOSTS_BIN = "/Library/Frameworks/Python.framework/Versions/2.4/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/run/denyhosts.pid"
DENYHOSTS_CFG = "/usr/local/share/denyhosts/denyhosts.cfg"
PYTHON_BIN = "/usr/bin/env python2.6"
# changed PYTHON_BIN = "/usr/bin/env python2.4" to 2.6
# end Snow Leopard

Post a comment