DenyHosts is a utility that analyzes your /var/log/secure file and blocks computers that have made repeated unsuccessful attempts to log in via ssh. These are commonly seen when someone is trying a brute force password attack. DenyHosts was created by Phil Schwartz and is available from denyhosts.sourceforge.net. Since I had to scratch my head for quite a while to install it on my Linux box, I thought that a simple howto might be in order.

These instructions assume that you have become already become superuser with the su command. (What, you haven't disabled root logins yet? Shame on you!) They also assume that you've added the Dag Wieers RPM repository to your up2date settings; if you haven't, see the instructions at dag.linux.iastate.edu to find out how.

1. Install denyhosts

up2date -i denyhosts

2. Copy the sample configuration file to the real configuration file

mkdir /usr/share/denyhosts
cp /usr/share/doc/denyhosts-1.1.1/denyhosts.cfg-dist \ 
   /usr/share/denyhosts/denyhosts.cfg

3. If you want to receive mail when hosts are blocked, edit /usr/share/denyhosts/denyhosts.cfg and make the following changes:

ADMIN_EMAIL = yourNetID@iastate.edu
SMTP_HOST = mailhub.iastate.edu
SMTP_FROM = DenyHosts <yourNetID@iastate.edu>

You may decide that other changes are useful; see the Denyhosts FAQ at denyhosts.sourceforge.net/faq.html for more details.

4. Copy the denyhosts daemon control script to /etc/init.d/denyhosts

cp /usr/share/doc/denyhosts-1.1.1/daemon-control-dist /etc/init.d/denyhosts

5. Create symlinks for denyhosts in the /etc/rc.d/rc[0-7] directories so that it will launch in daemon mode on startup:

ln -s /etc/init.d/denyhosts /etc/rc.d/rc3.d/S99denyhosts
ln -s /etc/init.d/denyhosts /etc/rc.d/rc5.d/S99denyhosts

(include other directories if you use non-standard runlevels)

6. Start the service in daemon mode as root with

/sbin/service denyhosts start

When more than five unsuccessful login attempts from the same host (or one unsuccessful root login attempt) are detected in the log, the IP of the attacking machine will be added to /etc/hosts.deny like this:

sshd:129.105.21.219

and SSH access from that host will be rejected.

If you need to ensure SSH access from a particular host, add the line

SSHD:nnn.nnn.nnn.nnn:ALLOW

to the file /etc/hosts.allow, where "nnn.nnn.nnn.nnn" is the IP number of the machine to allow. This will override any block DenyHosts makes against it.