DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. Upon discovering a repeated attack host, the
/etc/hosts.deny file is updated to prevent future break-in attempts from that host. DenyHosts uses TCP Wrappers and not iptables.
First, add the EPEL repository. Then simply install the package from the EPEL repository:
# yum install denyhosts
Before starting DenyHosts, configure a white list of IPs that DenyHosts should never block. Again, DenyHosts uses TCP Wrappers. Hence, edit
/etc/hosts.allow and add IPs, entire subnets, etc. For example,
sshd: 18.104.22.168 sshd: 192.168.0.0/255.255.255.0
# service denyhosts start
Configure the system to start DenyHosts at boot:
# chkconfig denyhosts on
Basic things to be aware of:
- IPs to white list should be added to
- IPs that DenyHosts blocks will be added to
- The DenyHosts configuration file is
- DenyHosts logs everything that it does to
- DenyHosts watches
/var/log/securefor SSH login attempts.
- If a host is ever added to the block list by mistake, just remove it from
/etc/hosts.deny. You can also manually add hosts you want to block.
Go through the DenyHosts configuration file (
/etc/denyhosts.conf) and tune it to your liking. Be sure to restart DenyHosts (
service denyhosts restart) if you change anything.
My System Configuration
- CentOS 6.5 x86 64-bit
- DenyHosts 2.6