DenyHosts is a software to block attackers that try to access your server via SSH. If you see failed login attempts in /var/log/auth.log like “Failed password for invalid user test” or “Failed password for root from x.x.x.x” and want to secure your server, DenyHosts is your friend.
Install DenyHosts with
apt-get install denyhosts
Edit /etc/denyhosts.conf and verify the following options.
ADMIN_EMAIL = email@example.com PURGE_DENY = 3d
If you like to receive an email when an IP is blocked enter your email address as ADMIN_EMAIL (useful in the beginning to see if it’s working). Leave the parameter blank if you don’t want to be notified by email.
By default IP addresses will blocked forever, I find it sufficient to only block them for a few days (PURGE_DENY = 3d).
Another great feature of DenyHosts is that you can enable synchronisation support and see which IP addresses other users of the software have blocked and automatically block these also. A statistical summary is available at http://stats.denyhosts.net/stats.html. To enable this feature set the following options.
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 SYNC_INTERVAL = 1h SYNC_UPLOAD = yes SYNC_DOWNLOAD = yes SYNC_DOWNLOAD_THRESHOLD = 5
SYNC_UPLOAD will upload your blocked IPs to the DenyHosts website for others to block, SYNC_DOWNLOAD will download the list of IPs others have blocked. An IP address will be blocked on your server if as many people as specified in SYNC_DOWNLOAD_THRESHOLD have blocked an IP. This prevents a single user from abusing the system.
After making changes to the configuration, don’t forget to restart DenyHosts so that they become active.
An alternative to DenyHosts that not only scans SSH but also e.g. HTTP log files is Fail2Ban.