Denyhosts - Revision history

Leaky: added info about disabling emails

2015-01-15T16:08:33Z

added info about disabling emails

Leaky at 14:09, 15 January 2015

2015-01-15T14:09:01Z

Leaky: Created denyhosts page

2015-01-15T14:08:51Z

Created denyhosts page

New page

Install the EPEL repository. On CentOS 6, this is simple to do because the epel-release package is included in the centos-extras repository.

# yum install -y --enablerepo=extras epel-release

# yum install -y --enablerepo=epel denyhosts

Make a backup of the original denyhosts config. There are plenty of options in there including documentation for each option so you might want to refer back to it.

# mv /etc/denyhosts.conf /etc/denyhosts.conf.orig

Create a new denyhosts config file.

# cat > /etc/denyhosts.conf <<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.evil
PURGE_DENY = 4w
PURGE_THRESHOLD = 2
BLOCK_SERVICE =
DENY_THRESHOLD_INVALID = 2
DENY_THRESHOLD_VALID = 4
DENY_THRESHOLD_ROOT = 2
DENY_THRESHOLD_RESTRICTED = 2
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <root@\$[HOSTNAME]>
SMTP_SUBJECT = DenyHosts Report from \$[HOSTNAME]
SYSLOG_REPORT=YES
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
EOF

Create an empty hosts.evil file ready for hosts.deny to access.

# touch /etc/hosts.evil
# echo "sshd:/etc/hosts.evil" >> /etc/hosts.deny

Set it to start automatically on boot

# chkconfig denyhosts on

Start the service immediately. This command may well take a while to run because it will be parsing all of the current log file looking for previous failed SSH attempts.

# service denyhosts start

← Older revision		Revision as of 16:08, 15 January 2015
Line 1:		Line 1:
		+	denyhosts is a useful program to stop the constant stream of failed SSH logins on a server if you don't want to (or can't) block SSH via iptables rules, or by changing the port it connects on.
		+
	Install the EPEL repository. On CentOS 6, this is simple to do because the epel-release package is included in the centos-extras repository.		Install the EPEL repository. On CentOS 6, this is simple to do because the epel-release package is included in the centos-extras repository.

Line 53:		Line 55:

	# service denyhosts start		# service denyhosts start
		+
		+	The above config will send an email every time an IP is blocked and assumes that root@localhost will be delivered to you. If that email doesn't work, or you wish to get them somewhere else, edit the ADMIN_EMAIL line. If you don't want to receive an email every time an IP is blocked, set ADMIN_EMAIL to an empty value (nothing after the = in the config file).

@@ Line 2: / Line 2: @@
   # yum install -y --enablerepo=extras epel-release
-−
   # yum install -y --enablerepo=epel denyhosts