DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. Upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. DenyHosts uses TCP Wrappers and not iptables.

Install DenyHosts

First, add the EPEL repository. Then simply install the package from the EPEL repository:

# yum install denyhosts

Configure DenyHosts

Before starting DenyHosts, configure a white list of IPs that DenyHosts should never block. Again, DenyHosts uses TCP Wrappers. Hence, edit /etc/hosts.allow and add IPs, entire subnets, etc. For example,

sshd: 12.34.56.78
sshd: 192.168.0.0/255.255.255.0

Start DenyHosts

# service denyhosts start

Configure the system to start DenyHosts at boot:

# chkconfig denyhosts on

Basic things to be aware of:

• IPs to white list should be added to /etc/hosts.allow.
• IPs that DenyHosts blocks will be added to /etc/hosts.deny.
• The DenyHosts configuration file is /etc/denyhosts.conf.
• DenyHosts logs everything that it does to /var/log/denyhosts.
• DenyHosts watches /var/log/secure for SSH login attempts.
• If a host is ever added to the block list by mistake, just remove it from /etc/hosts.deny. You can also manually add hosts you want to block.

Go through the DenyHosts configuration file (/etc/denyhosts.conf) and tune it to your liking. Be sure to restart DenyHosts (service denyhosts restart) if you change anything.

My System Configuration

• CentOS 6.5 x86 64-bit
• DenyHosts 2.6

References

• http://denyhosts.sourceforge.net
• https://www.digitalocean.com/community/articles/how-to-install-denyhosts-on-centos-6
• http://blog.bigdinosaur.org/securing-your-server-with-denyhosts/
• http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts