Denyhosts Notes Revision as of Sunday, 27 December 2015 at 07:27 UTC
Download and Install
Head over to
Sourceforge
to download an RPM. Make sure that the major version of Python required
for the RPM matches that installed on your system.
python --version
Now install the RPM:
rpm -ivH DenyHosts-2.6-python2.4.noarch.rpm
Configuration
By default, the installation is placed in /usr/share/denyhosts
. A few
steps are required before starting the daemon.
denyhosts.cfg
This is the main config file. A sample file is provided and is called
denyhosts.cfg-dist
. Make a copy of this file and start editing it:
cp denyhosts.cfg-dist denyhosts.cfg
vim denyhosts.cfg
The file is beautifully self-explanatory, as are the
FAQs. Any further
explanation of the settings would be superfluous.
The denyhosts daemon
Like the config file, copy the daemon:
cp daemon-control-dist daemon-control
chown root daemon-control
chmod 700 daemon-control
No further configuration is necessary for the daemon if you’re on RHEL.
Starting the service
A symlink is necessary within /etc/init.d
cd /etc/init.d/
ln -s /usr/share/denyhosts/daemon-control denyhosts
./denyhosts start
Run at startup
chkconfig --add denyhosts
chkconfig denyhosts on
Other Notes
Trusted IPs
The default WORK_DIR
is /usr/share/denyhosts/data
. An alternative is
/var/lib/denyhosts
. An important consideration is the allowed-hosts
file, which lets you add an IP/range or domain as a ’trusted’ source
which won’t be banned (this can be fine-tuned in the denyhosts.cfg
file.) For example:
19.67.35.*
jhu.edu
Removing IPs
If ever you need to do this, you will have to remove them from these
files:
/etc/hosts.deny
/var/lib/denyhosts/hosts
/var/lib/denyhosts/hosts-restricted
/var/lib/denyhosts/hosts-root
/var/lib/denyhosts/hosts-valid
/var/lib/denyhosts/users-hosts
It is a good idea to add trusted hosts to the allowed-hosts
file after
this and restart the service. You can also use this script:
#!/bin/bash
# denyhosts-remove.sh
#
# AUTHOR: Tommy Butler, email: $ echo YWNlQHRvbW15YnV0bGVyLm1lCg==|base64 -d
# VERSION: 1.0
#
# SUMMARY:
# Use this script to Remove an IP address ban that has been errantly blacklisted
# by denyhosts - the ubiquitous and unforgiving brute-force attack protection
# service so often used on Linux boxen.
#
# INSTALL:
# Usage: Put this script somewhere in your $PATH, and execute it as root or
# with sudo. Call it directly or with an IP address argument. Multiple IP
# address arguments are not supported. You'll need to `chmod +x` it first.
#
# LICENSE:
# GNU GPL 1.0
# Copyright 2011 Tommy Butler, All rights reserved
BASE_PATH="/var/lib/denyhosts";
IP=$1
if [[ "`/usr/bin/id -u`" != "0" ]]; then
echo "Run this script as root or with sudo or app can't run correctly. Aborted."
exit 1;
fi
cd $BASE_PATH
if [[ "`pwd`" != "$BASE_PATH" ]]; then
echo "Couldn't cd to $BASE_PATH. Abort."
exit 1;
fi
if [[ "$IP" == "" ]]; then
echo "Enter the IP address you want to un-ban"
read IP
fi
if [[ "$IP" == "" ]]; then
echo "No IP address given. Abort."
exit 1;
fi
/etc/init.d/denyhosts stop
/usr/bin/perl -pi -e "s/^.*?$IP.*\n//g" /etc/hosts.deny *
/etc/init.d/denyhosts start
exit $?
Using netfilter itself
While denyhosts
is pretty good with regard to features, you can do a
basic ‘bounce’ with the IPT_RECENT module.
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m state --state NEW -m recent --set --name SSH
iptables -A SSH_CHECK -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH
iptables -A SSH_CHECK -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name SSH -j DROP
Test, test, test, test…
Enough said :)