Anybody using DenyHosts with FreeNAS?

[Yatti420]

Hello everybody,

I was wondering if anybody was using DenyHosts with FreeNAS in order to add some extra security to ssh.. Apart from the standard changing ports or using public/private keys..

I think DenyHosts could be used with FreeNAS but I don't think it will simply work inside of a jail? Perhaps pointing what it needs into the jail and reconfiguring.. Running as a daemon afterwards?

Thanks,
Yatti

 

[cyberjock]

I don't think anyone has. But I think the answer you're probably going to hear the most is "that's not as reliable as SSH public/private keys".

You are right though. The jail is not the proper place for DenyHosts to do its job. And unfortunately, there's only like 10MB of free space on the FreeNAS USB stick, and FreeNAS needs those 10MB to function properly. So implementing it is not going to be easy by any stretch of the imagination.

 

[Yatti420]

Definitely not as reliable as keys.. But I do unfortunately need SSH on the public side at the moment.. I know DenyHosts is compatible with FreeBSD..

Even using public/private keys this isn't going to stop/block connection attempts?.. DenyHosts would certainly help that.. I believe storage points can work both ways to the jail and from it.. I believe I did this for having minirsyslog so I could check files without digging through the jail directory..

 

[Yatti420]

I certainly never plan on editing the base FreeNAS install using up remaining USB space.. Unless you wanted to accelerate the disintegration of your pool/nas never install apps/plugins/whatever on the install USB.. Reading more of the DenyHosts FAQ I think this is possible to run in a jail and have full functionality (except maybe email).. I know DenyHosts can be run from cron or as a daemon or called from command line so it's versatile..


I'm going to assume that if I place this in a jail that the jail's hosts.allow would be edited by DenyHosts assuming SSH was running in the jail and bad connection attempts were logged appropriately - everything would work but isolated.. Aslong as the appropriate FreeNAS base logs could be parsed by the denyhosts daemon it should be able to update the jail's hosts.allow and/or create an naughty hosts file to use..


This user had success except for email which shouldn't be an issue. FreeNAS already handles this log (auth?) in it's daily email so if successful a second email shouldn't be necessary.. Not sure if they placed in a jail as user indicates 8.0.2 release version (could be 8.2.0?).. http://forums.freenas.org/threads/denyhosts-and-sending-email.4539/


If I point the appropriate logs into the jail then configure DenyHosts properly. Afterwards point the output "naughty hosts file" back to base freenas and/or configure sshd to check this "naughty hosts file" within the jail before allowing all other connections I think this would work as intended.. DenyHosts doesn't watch the socket/port it uses the logs if I understand it properly.. So if run via cron should update file every X minutes? Seems interesting to say the least..

Basically I would probably take this route at first..
1. Create jail as desired.. Install DenyHosts & python dependency..
2. Using jail storage send the appropriate logs to the jail previously created for DenyHosts to read..
3. Configure DenyHosts to read appropriate logs (now linked in the jail).. Configure DenyHosts to create NaughtyHostsFile within the jail..
4. Either configure SSH to read NaughtyHostsFile within the jail or configure FreeNAS jail storage to send NaughtyHostsFile outside of the jail (back to base FreeNAS install/pool)..
5. Finalize the SSH setup depending on step #4.

Maybe would work? Anything I'm missing? This should shorten up the security email considerably for anybody with SSH on the outside..

I'm becoming more impressed with FreeBSD&Jails/FreeNAS everyday in terms of what it can do.. The rewrite was definitely worth it.. I was skeptical at first as it seemed Freenas 0.7X had all of the features (torrents etc) implemented albeit probably not in the safest way.. I don't want to advocate poor security practices.. Not using keys and pointing SSH onto the WAN is a risk and your asking for big trouble without editing root password..

 

[Yatti420]

It's in a jail now and seems to be working blocking my sessions rather nicely.. Will verify tomorrow..

 

[Yatti420]

It's in a jail now and seems to be working blocking my sessions rather nicely.. Will verify tomorrow..

Here is a screenshot..

 

[cyberjock]

So are you routing all traffic through the jail/denyhost?

 

[Yatti420]

No.. All traffic remains as is.. The auth.log (from freenas usb) is sent to the jail where denyhosts reads it.. If it detects too many requests etc it adds (freebsd compatible) sshd : host : deny in a Hosts.evil file.. I mounted my freenas usb in order to edit the hosts.allow (usb install) so sshd will check this Hosts.evil (within the jail) first before allowing the connection through.. I also changed the sshd base config so I don't have to manually do this in the future..

Any jail with SSH enabled can be setup to check this file aswell.. I tested DenyHosts sync feature.. Very nice.. Brings in the top nasty hosts based on other users syncing and the database kept here(Disabled Currently 2011 Date)..Seems to work great as I'm watching the logs currently.. I believe the page is down but updates are still working as intended and should be current..

Edit:Confirmed it's functioning as intended.. http://forums.freenas.org/index.php?threads/install-denyhosts-within-a-freenas-jail.15906/

 

[RoboKaren]

Thanks! Got denyhosts working great in a jail on my N54L/freenas. Yippee!

 

[Yatti420]

Glad to see it's working.. I reviewed and changed my daemon timer (the time the daemon pauses before checking auth.log) to 15 seconds.. I was getting alot of simultaneous hits that snuck underneath the 30s timer.. I also recommend changing off the default port..

 

[RoboKaren]

Yes, I changed my port setting. I don't seem to have sync working yet, I'll have to look into your other thread for that.