DenyHosts is a software to block attackers that try to access your server via SSH. If you see failed login attempts in /var/log/auth.log like “Failed password for invalid user test” or “Failed password for root from x.x.x.x” and want to secure your server, DenyHosts is your friend.

Install DenyHosts with

apt-get install denyhosts

Edit /etc/denyhosts.conf and verify the following options.


If you like to receive an email when an IP is blocked enter your email address as ADMIN_EMAIL (useful in the beginning to see if it’s working). Leave the parameter blank if you don’t want to be notified by email.
By default IP addresses will blocked forever, I find it sufficient to only block them for a few days (PURGE_DENY = 3d).

Another great feature of DenyHosts is that you can enable synchronisation support and see which IP addresses other users of the software have blocked and automatically block these also. A statistical summary is available at To enable this feature set the following options.


SYNC_UPLOAD will upload your blocked IPs to the DenyHosts website for others to block, SYNC_DOWNLOAD will download the list of IPs others have blocked. An IP address will be blocked on your server if as many people as specified in SYNC_DOWNLOAD_THRESHOLD have blocked an IP. This prevents a single user from abusing the system.

After making changes to the configuration, don’t forget to restart DenyHosts so that they become active.

/etc/init.d/denyhosts restart

An alternative to DenyHosts that not only scans SSH but also e.g. HTTP log files is Fail2Ban.