Denyhosts

Install the EPEL repository. On CentOS 6, this is simple to do because the epel-release package is included in the centos-extras repository.

# yum install -y --enablerepo=extras epel-release

# yum install -y --enablerepo=epel denyhosts

Make a backup of the original denyhosts config. There are plenty of options in there including documentation for each option so you might want to refer back to it.

# mv /etc/denyhosts.conf /etc/denyhosts.conf.orig

Create a new denyhosts config file.

# cat > /etc/denyhosts.conf <<EOF
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.evil
PURGE_DENY = 4w
PURGE_THRESHOLD = 2
BLOCK_SERVICE =
DENY_THRESHOLD_INVALID = 2
DENY_THRESHOLD_VALID = 4
DENY_THRESHOLD_ROOT = 2
DENY_THRESHOLD_RESTRICTED = 2
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = root@localhost
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <root@\$[HOSTNAME]>
SMTP_SUBJECT = DenyHosts Report from \$[HOSTNAME]
SYSLOG_REPORT=YES
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
EOF

Create an empty hosts.evil file ready for hosts.deny to access.

# touch /etc/hosts.evil
# echo "sshd:/etc/hosts.evil" >> /etc/hosts.deny

Set it to start automatically on boot

# chkconfig denyhosts on

Start the service immediately. This command may well take a while to run because it will be parsing all of the current log file looking for previous failed SSH attempts.

# service denyhosts start