Denyhost is a script intended to run by linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
If you’ve ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc…) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn’t it be better to automatically prevent that attacker from continuing to gain entry into your system?
This is where Denyhost come in place, where it check for any host that try to login within few failed attempt the remote host ip will be block from login for week or month depend on your setting.
You need to have the followng packages installed:-
1. First you need to download from this website denyhost from here
wget -c http://optusnet.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz
2. Extract the file
tar xvfz /opt/DenyHosts-2.6.tar.gz
3. Install the package
python setup.py install
4. After install, the sample configuration file will be located in /usr/share/denyhosts and you need to copy it
cp denyhosts.cfg-dist denyhosts.cfg
5. Edit the denyhosts.cfg file and change the following lines:-
PURGE_DENY = 2w # purge the blocked entries after 2 week. Default is never
BLOCK_SERVICE = ALL # default is sshd only, prefered to block all
DENY_THRESHOLD_INVALID = 3 # default is 5, deny host if failed 3 login attempt.
the rest of the setting can leave it as default and it works perfectly. They do have other function that can send notification through email when new
block ip added.
6. We have done the setting part, now is to have the Denyhost to start automatically when server bootup. Copy the daemon-control file into
cp daemon-control-dist /etc/rc.d/init.d/denyhost
chkconfig –add denyhost
7. To start the service immediately, run the following
/sbin/service denyhost start
8. To check if the service is running
ps xa | grep denyhost
and if you can see as below, that’s mean is already working
16747 ? S 0:00 python /usr/bin/denyhosts.py –daemon –config=/usr/share/denyhosts/denyhosts.cfg
9. All the IP being blocked is listed in the “/etc/hosts.deny” file and to remove the IP from blocked, just remove the IP from the file and it can be login back to the server.
That’s all, you have successfully installed the Denyhost.
Source : Howtoforge