Install and configure DenyHost

by jagbir on April 18, 2008

Brute force attacks or dictionary based attacks are common these days for servers. DenyHosts is an excellent python tool to prevent such attacks. It will detects failed attempts and prevent offending Host/IP for further connection by adding it to /etc/hosts.deny file.

Here are steps to install and configure DenyHosts for your server. These steps are applicable for Red Hat based distros (ie RHEL, CentOS, Fedora) and needs minor changes for other distros. You can copy paste the commands.

Step 1. Detect which version of Python is installed on your server:

# python -V

Step 2. You will see python version 2.3.x (for CentOS 4.x) or 2.4.x (,CentOS 5.x, Fedora etc). Download the relevant rpm from sourceforge or source tarball, I have download it by using this direct link.

Step 3. Install the rpm:

# rpm -ivh DenyHosts-2.6-python2.3.noarch.rpm

or compile and install from tarball, you have it:

# tar xzf DenyHosts-2.6.tar.gz
# cd DenyHosts-2.6 
# python install

Step 4. make a copy of default configuration file:

# cd /usr/share/denyhosts/
# cp denyhosts.cfg-dist denyhosts.cfg

Step 5. Edit the configuration file to suit your needs:

# vi denyhosts.cfg

Step 6. You can run DenyHosts by cron or as Daemon. preferred way is to run it as daemon. To run it as daemon, make a copy of its default daemon script

# cp daemon-control-dist daemon-control

Step 7. Set proper permissions for daemon script:

# chown root daemon-control
# chmod 700 daemon-control

Step 8. Start it:

# ./daemon-control start

Step 9. Make it run on startup:

# cd /etc/init.d
# ln -s /usr/share/denyhosts/daemon-control denyhosts
# chkconfig -–add denyhosts

Step 10. You can view its log and also view the hosts.deny file to find out how many hosts are denied:

# tail /var/log/denyhosts
# cat /etc/hosts.deny

One other way to prevent such attacks is to use tcpwrappers and allow services (ssh) from specific IP Addresses only.

More related and helpful articles:
* 5 steps to secure your Linux Server
* Ensuring secure access to production Linux Servers
* Bash script to backup essential log files in Linux
* Quickly change your ssh port from defualt 22 to something higher
* SSH port forwarding from remote to local machine
* Save root or user history to check later

  • pdeschen

    Thanks for this nice tutorial. I have spotted a small error:

    chkconfig –add denyhosts

    instead of

    chkconfig –add denyhosts

    double dash instead of hyphen. Must be the blog editor ;-)


  • George

    I tried installing DenyHosts-2.6-0.noarch on a new Amazon supported Linux AMIs (ami-1c07794e) which comes pre-configured with Python 2.6.5. All looked good but an attempt to install resulted in the following:

    Error: Package: DenyHosts-2.6-0.noarch (/DenyHosts-2.6-python2.5)
    Requires: python = 2.5
    Installed: 1:python-2.6-1.19.amzn1.noarch (installed)
    python = 1:2.6-1.19.amzn1
    You could try using –skip-broken to work around the problem
    You could try running: rpm -Va –nofiles –nodigest

    Using the rpm –force option does not work either.

  • jagbir

    Thanks pdeschen, corrected it.

    @George, sorry for very late reply to your comment, but if you need it now you can try downloading tarball and installing through it. I’ve updated instructions for that as well.

Previous post:

Next post: