Bekijk de volledige versie : HOW-TO OpenSSH server and DenyHosts

09-12-2008, 20:55
This how-to is currently NOT working.
I'm sorry to dissapoint everyone, but it seems to be a problem with denyhosts, wich is an old version
I'll try to come up with the newest versions of both programs with the right configuration parameters.

You may find this how-to also on my own site: http://wpte.kicks-ass.net/forum/viewthread.php?thread_id=5

Everybody knows that you get attacked if you open up your ssh connection to the world.
Since these attacks are really ennoying, and keep using your router, you can block them out with Open SSH and DenyHosts!

First you need to prepare your router for the new installation.
You most likely have dropbear installed, wich does the same thing as openssh, but is not as configurable as openssh.
First of all, make sure you have Telnet ACTIVATED on the webadmin, so you can properly install openssh and denyhosts.

Now you can remove dropbear from the startup list:

vi /usr/local/sbin/post-boot
and remove the text

save the file

now save the settings:

flashfs save && flashfs commit && flashfs enable && reboot

Installing OpenSSH and DenyHosts
(reminder: you don't have an ssh server now, so use TELNET to login)
just type in:

ipkg update
ipkg upgrade
ipkg install openssh denyhost

Now you most likely will see some error messages popping up from denyhosts, don't worry, will fix that soon!
Also you will notice, that openssh directly creates keys for a safe data transmission between client and server.

Editing the Configuration files
first openssh:

vi /opt/etc/openssh/sshd_config
In order of apperance:

port 22
MaxAuthTries 3
MaxSessions 5
This makes sure, that you cannot open up more than 5 connections (screens) at once from 1 ip
And will give you 3 tries to login, if 3 times failed, you need to restart putty.
These settings will most likely give already a harder time for any hacker.

second DenyHosts:

vi /opt/etc/denyhosts.cfg
The only thing you have to change here is this:

# Optware:
SECURE_LOG = /tmp/syslog.log

IF however you have logrotate installed, you will need to change it to this:

vi /opt/etc/denyhosts.cfg
The only thing you have to change here is this:

# Optware:
SECURE_LOG = /opt/var/log/syslog.log

Before we're ready to restart, please execute this again:

ipkg upgrade

Now you will notice, that it will configure denyhosts, and no errors will show up anymore...
if it still does, you haven't configured the logfile location properly!

if everything is ok, you can try to restart and check your fresh ssh server out!

note that putty will give a warning, because there are new ssh certificates on your server.
you can also turn telnet off if you want.

Good luck!:)

20-02-2009, 22:53
Just to help others, who want to use your code :)

21-02-2009, 23:14
Just to help others, who want to use your code :)

lol, thanks for the correction

I still have to go through all the deny host code (the new version) because it's not really good to install to a specific location:p

rlea need to spend some time on that soon;)

but is this actually working for you? because i didn't have any good result