Download and Install
Head over to Sourceforge to download an RPM. Make sure that the major version of Python required for the RPM matches that installed on your system.
Now install the RPM:
rpm -ivH DenyHosts-2.6-python2.4.noarch.rpm
By default, the installation is placed in
/usr/share/denyhosts. A few
steps are required before starting the daemon.
This is the main config file. A sample file is provided and is called
denyhosts.cfg-dist. Make a copy of this file and start editing it:
cp denyhosts.cfg-dist denyhosts.cfg vim denyhosts.cfg
The file is beautifully self-explanatory, as are the FAQs. Any further explanation of the settings would be superfluous.
The denyhosts daemon
Like the config file, copy the daemon:
cp daemon-control-dist daemon-control chown root daemon-control chmod 700 daemon-control
No further configuration is necessary for the daemon if you’re on RHEL.
Starting the service
A symlink is necessary within
cd /etc/init.d/ ln -s /usr/share/denyhosts/daemon-control denyhosts ./denyhosts start
Run at startup
chkconfig --add denyhosts chkconfig denyhosts on
/usr/share/denyhosts/data. An alternative is
/var/lib/denyhosts. An important consideration is the
file, which lets you add an IP/range or domain as a ’trusted’ source
which won’t be banned (this can be fine-tuned in the
file.) For example:
If ever you need to do this, you will have to remove them from these files:
/etc/hosts.deny /var/lib/denyhosts/hosts /var/lib/denyhosts/hosts-restricted /var/lib/denyhosts/hosts-root /var/lib/denyhosts/hosts-valid /var/lib/denyhosts/users-hosts
It is a good idea to add trusted hosts to the
allowed-hosts file after
this and restart the service. You can also use this script:
#!/bin/bash # denyhosts-remove.sh # # AUTHOR: Tommy Butler, email: $ echo YWNlQHRvbW15YnV0bGVyLm1lCg==|base64 -d # VERSION: 1.0 # # SUMMARY: # Use this script to Remove an IP address ban that has been errantly blacklisted # by denyhosts - the ubiquitous and unforgiving brute-force attack protection # service so often used on Linux boxen. # # INSTALL: # Usage: Put this script somewhere in your $PATH, and execute it as root or # with sudo. Call it directly or with an IP address argument. Multiple IP # address arguments are not supported. You'll need to `chmod +x` it first. # # LICENSE: # GNU GPL 1.0 # Copyright 2011 Tommy Butler, All rights reserved BASE_PATH="/var/lib/denyhosts"; IP=$1 if [[ "`/usr/bin/id -u`" != "0" ]]; then echo "Run this script as root or with sudo or app can't run correctly. Aborted." exit 1; fi cd $BASE_PATH if [[ "`pwd`" != "$BASE_PATH" ]]; then echo "Couldn't cd to $BASE_PATH. Abort." exit 1; fi if [[ "$IP" == "" ]]; then echo "Enter the IP address you want to un-ban" read IP fi if [[ "$IP" == "" ]]; then echo "No IP address given. Abort." exit 1; fi /etc/init.d/denyhosts stop /usr/bin/perl -pi -e "s/^.*?$IP.*\n//g" /etc/hosts.deny * /etc/init.d/denyhosts start exit $?
Using netfilter itself
denyhosts is pretty good with regard to features, you can do a
basic ‘bounce’ with the IPT_RECENT module.
iptables -N SSH_CHECK iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK iptables -A SSH_CHECK -m state --state NEW -m recent --set --name SSH iptables -A SSH_CHECK -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH iptables -A SSH_CHECK -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP
Test, test, test, test…
Enough said :)