This article will explain how to setup DenyHosts on a RedHat-based (RHEL 6, Centos 5.5, or Fedora 14) Linux server to automatically add remote IP addresses that repeatedly fail login attempts to your server’s /etc/hosts.deny file in an attempt to block SSH brute force/dictionary attacks.
The easiest way to get up and running with DenyHosts on a RedHat / CentOS/ Fedora server is with yum. Simply type:
yum install denyhosts
By default, Fedora servers should have the proper repositories to install DenyHosts with yum, but default RHEL or CentOS servers will likely need to install the EPEL repository before this will work. You can load the EPEL repository from this site: http://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F
Next step is to add any hostnames or IP address that you know are “safe” to a text file. DenyHosts will check that file and will never block access from that location, no matter how many failed login attempts come from that host. Using your favorite text editor, open /usr/share/denyhosts/data/allowed-hosts or /var/lib/denyhosts/allowed-hosts. The default looks like this:
# We mustn't block localhost
127.0.0.1
Add any other IP addresses or hostnames (DenyHosts will resolve hostnames’ IP addresses) that you wish to explicitly allow here. You can use wildcards (*) in the file. For example, if you never want to block IPs from your internal network, you could make your allowed-hosts file look like this:
# We mustn't block localhost
127.0.0.1
192.168.1.*
You can also add the safe addresses to /etc/hosts.allow file as below:
sshd: 127.0.0.1
sshd: 192.168.1.*
You can then setup denyhosts to start during the system boot.
chkconfig denyhosts on
and you’ll be good to go.
Simply type the following command to start denyhosts:
service denyhosts start
and you’re off and running!
Denyhosts will continuously monitor the log file /var/log/secure for the brute force attacks and populate /etc/hosts.deny file. The sample hosts.deny file is shown as below.
sshd: 192.168.10.12
sshd: 192.168.10.111