Denyhosts Notes

Download and Install

Head over to
Sourceforge
to download an RPM. Make sure that the major version of Python required
for the RPM matches that installed on your system.

python --version

Now install the RPM:

rpm -ivH DenyHosts-2.6-python2.4.noarch.rpm

Configuration

By default, the installation is placed in /usr/share/denyhosts. A few
steps are required before starting the daemon.

denyhosts.cfg

This is the main config file. A sample file is provided and is called
denyhosts.cfg-dist. Make a copy of this file and start editing it:

cp denyhosts.cfg-dist denyhosts.cfg  
vim denyhosts.cfg

The file is beautifully self-explanatory, as are the
FAQs. Any further
explanation of the settings would be superfluous.

The denyhosts daemon

Like the config file, copy the daemon:

cp daemon-control-dist daemon-control  
chown root daemon-control  
chmod 700 daemon-control

No further configuration is necessary for the daemon if you’re on RHEL.

Starting the service

A symlink is necessary within /etc/init.d

cd /etc/init.d/  
ln -s /usr/share/denyhosts/daemon-control denyhosts  
./denyhosts start

Run at startup

chkconfig --add denyhosts  
chkconfig denyhosts on

Other Notes

Trusted IPs

The default WORK_DIR is /usr/share/denyhosts/data. An alternative is
/var/lib/denyhosts. An important consideration is the allowed-hosts
file, which lets you add an IP/range or domain as a ’trusted’ source
which won’t be banned (this can be fine-tuned in the denyhosts.cfg
file.) For example:

19.67.35.*  
jhu.edu

Removing IPs

If ever you need to do this, you will have to remove them from these
files:

/etc/hosts.deny  
/var/lib/denyhosts/hosts  
/var/lib/denyhosts/hosts-restricted  
/var/lib/denyhosts/hosts-root  
/var/lib/denyhosts/hosts-valid  
/var/lib/denyhosts/users-hosts

It is a good idea to add trusted hosts to the allowed-hosts file after
this and restart the service. You can also use this script:

#!/bin/bash
 
# denyhosts-remove.sh
#
# AUTHOR: Tommy Butler, email: $ echo YWNlQHRvbW15YnV0bGVyLm1lCg==|base64 -d
# VERSION: 1.0
#
# SUMMARY:
# Use this script to Remove an IP address ban that has been errantly blacklisted
# by denyhosts - the ubiquitous and unforgiving brute-force attack protection
# service so often used on Linux boxen.
#
# INSTALL:
# Usage: Put this script somewhere in your $PATH, and execute it as root or
# with sudo.  Call it directly or with an IP address argument.  Multiple IP
# address arguments are not supported.  You'll need to `chmod +x` it first.
#
# LICENSE:
# GNU GPL 1.0
# Copyright 2011 Tommy Butler, All rights reserved
 
BASE_PATH="/var/lib/denyhosts";
IP=$1
 
if [[ "`/usr/bin/id -u`" != "0" ]]; then
   echo "Run this script as root or with sudo or app can't run correctly.  Aborted."
   exit 1;
fi
 
cd $BASE_PATH
 
if [[ "`pwd`" != "$BASE_PATH" ]]; then
   echo "Couldn't cd to $BASE_PATH.  Abort."
   exit 1;
fi
 
if [[ "$IP" == "" ]]; then
   echo "Enter the IP address you want to un-ban"
   read IP
fi
 
if [[ "$IP" == "" ]]; then
   echo "No IP address given.  Abort."
   exit 1;
fi
 
/etc/init.d/denyhosts stop
 
/usr/bin/perl -pi -e "s/^.*?$IP.*\n//g" /etc/hosts.deny *
 
/etc/init.d/denyhosts start
 
exit $?

Using netfilter itself

While denyhosts is pretty good with regard to features, you can do a
basic ‘bounce’ with the IPT_RECENT module.

iptables -N SSH_CHECK  
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK  
iptables -A SSH_CHECK -m state --state NEW -m recent --set --name SSH  
iptables -A SSH_CHECK -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH  
iptables -A SSH_CHECK -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP

Test, test, test, test…

Enough said :)