# Denyhosts Notes

Head over to Sourceforge to download an RPM. Make sure that the major version of Python required for the RPM matches that installed on your system.

python --version


Now install the RPM:

rpm -ivH DenyHosts-2.6-python2.4.noarch.rpm


## Configuration

By default, the installation is placed in /usr/share/denyhosts. A few steps are required before starting the daemon.

### denyhosts.cfg

This is the main config file. A sample file is provided and is called denyhosts.cfg-dist. Make a copy of this file and start editing it:

cp denyhosts.cfg-dist denyhosts.cfg
vim denyhosts.cfg


The file is beautifully self-explanatory, as are the FAQs. Any further explanation of the settings would be superfluous.

### The denyhosts daemon

Like the config file, copy the daemon:

cp daemon-control-dist daemon-control
chown root daemon-control
chmod 700 daemon-control


No further configuration is necessary for the daemon if you’re on RHEL.

### Starting the service

A symlink is necessary within /etc/init.d

cd /etc/init.d/
ln -s /usr/share/denyhosts/daemon-control denyhosts
./denyhosts start


### Run at startup

chkconfig --add denyhosts
chkconfig denyhosts on


## Other Notes

### Trusted IPs

The default WORK_DIR is /usr/share/denyhosts/data. An alternative is /var/lib/denyhosts. An important consideration is the allowed-hosts file, which lets you add an IP/range or domain as a ’trusted’ source which won’t be banned (this can be fine-tuned in the denyhosts.cfg file.) For example:

19.67.35.*
jhu.edu


### Removing IPs

If ever you need to do this, you will have to remove them from these files:

/etc/hosts.deny
/var/lib/denyhosts/hosts
/var/lib/denyhosts/hosts-restricted
/var/lib/denyhosts/hosts-root
/var/lib/denyhosts/hosts-valid
/var/lib/denyhosts/users-hosts


It is a good idea to add trusted hosts to the allowed-hosts file after this and restart the service. You can also use this script:

#!/bin/bash

# denyhosts-remove.sh
#
# AUTHOR: Tommy Butler, email: $echo YWNlQHRvbW15YnV0bGVyLm1lCg==|base64 -d # VERSION: 1.0 # # SUMMARY: # Use this script to Remove an IP address ban that has been errantly blacklisted # by denyhosts - the ubiquitous and unforgiving brute-force attack protection # service so often used on Linux boxen. # # INSTALL: # Usage: Put this script somewhere in your$PATH, and execute it as root or
# with sudo.  Call it directly or with an IP address argument.  Multiple IP
# address arguments are not supported.  You'll need to chmod +x it first.
#
# GNU GPL 1.0

BASE_PATH="/var/lib/denyhosts";
IP=$1 if [[ "/usr/bin/id -u" != "0" ]]; then echo "Run this script as root or with sudo or app can't run correctly. Aborted." exit 1; fi cd$BASE_PATH

if [[ "pwd" != "$BASE_PATH" ]]; then echo "Couldn't cd to$BASE_PATH.  Abort."
exit 1;
fi

if [[ "$IP" == "" ]]; then echo "Enter the IP address you want to un-ban" read IP fi if [[ "$IP" == "" ]]; then
echo "No IP address given.  Abort."
exit 1;
fi

/etc/init.d/denyhosts stop

/usr/bin/perl -pi -e "s/^.*?$IP.*\n//g" /etc/hosts.deny * /etc/init.d/denyhosts start exit$?


### Using netfilter itself

While denyhosts is pretty good with regard to features, you can do a basic ‘bounce’ with the IPT_RECENT module.

iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m state --state NEW -m recent --set --name SSH
iptables -A SSH_CHECK -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH
iptables -A SSH_CHECK -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP


Enough said :)