This is an old revision of the document!


Denyhosts

Denyhosts is a shell script that looks for SSH dictionary login attempts, and blocks the IP addresses of the abusers.

Setup

Configuration is in /etc/denyhosts.cfg

Cron Job

To run as a cron job every 10 minutes, add this to fcrontab:

*/10 * * * * /usr/bin/denyhosts.py -c /etc/denyhosts.conf

Optionally, you can run it as a daemon with it's own init script. The settings for the poller are in the configuration file. Defaults are to check every 30 seconds.

Gentoo

For Gentoo, using syslog-ng, authentication attempts are logged to /var/log/messages

Some changes to the default configuration:

SYSLOG_REPORT=YES

CentOS

You can run DenyHosts as a daemon in CentOS. Edit daemon-control, and fix the default locations for the denyhosts.cfg file as well as the path to python. Set the file as executable plus accessible only by root, then copy it to /etc/init.d/denyhosts and finally set it as a service.

chkconfig denyhosts on

tcp_wrappers

Be sure to add any IP addresses to /etc/hosts.allow that you want whitelisted.

# Digital Trike
ALL: 50.198.187.241

FreeBSD

echo denyhosts_enable="YES" >> /etc/rc.conf
echo sshd : /etc/hosts.deniedssh : deny >> /etc/hosts.allow
echo sshd : ALL : allow >> /etc/hosts.allow
touch /etc/hosts.deniedssh
echo syslogd_flags="-c" >> /etc/rc.conf
/usr/local/etc/rc.d/denyhosts start

Sample Configuration

This configuration will block all services that use tcp_wrappers, and will send an email report everytime new entries are added.

############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 
BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=NO
LOCK_FILE = /var/run/denyhosts.pid
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = 
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <[email protected]>
SMTP_SUBJECT = DenyHosts Report
SYSLOG_REPORT=YES
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes
######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h