DenyHosts

Table of Contents [hide]

Introduction

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

I have used Fail2Ban in the past but found it doesn’t work so well on OpenVZ containers where ‘iptables’ can be a little funky. For the sake of consistency, and preserving my sanity, I’ve migrated to DenyHosts which uses tcp_wrappers to block access.

Install DenyHosts

This is enough to get DenyHosts installed and functional.

apt-get install denyhosts

Configure DenyHosts

Despite the super simple install, the default settings are not suitable for my purposes. You can see all the configuration options are their descriptions in ‘/etc/denyhosts.conf’. What follows are some ‘sed’ edits that configure DenyHosts just the way I like it.

sudo sed -i 's/^PURGE_DENY =/PURGE_DENY = 1h/' /etc/denyhosts.conf
sudo sed -i 's/#PURGE_THRESHOLD = 2/PURGE_THRESHOLD = 2/' /etc/denyhosts.conf
sudo sed -i 's/ADMIN_EMAIL = root@localhost/ADMIN_EMAIL = root@example.org/' /etc/denyhosts.conf
sudo /etc/init.d/denyhosts restart

Seeing what DenyHosts has blocked

You can see if any hosts have been blocked with the following…

cat /etc/hosts.deny

You should see some lines like the one below for hosts that are blocked.

sshd: 31.7.59.84
sshd: 74.94.23.101
sshd: 58.251.128.139
sshd: 218.26.42.110
sshd: 218.94.26.50

DenyHosts has a log file of all it’s activities in ‘/var/log/denyhosts’. But if you really want to poke about then take a look in ‘/var/lib/denyhosts’ which is where DenyHosts keeps its database.

References

Leave a Reply