Denyhosts on your server or desktop system to help further prevent unwanted attacks or access to your systems.
# yum install denyhosts
# vi /etc/denyhosts.conf
HOSTS_DENY = /etc/hosts.deny
Defines the active ban list.
PURGE_DENY = 6y
I figure the average hardware lifecycle of servers is 2 years or less so 6 years should be plenty if i want an IP permanently banned.
PURGE_THRESHOLD = 1
This step assures a repeat offender is forever banned and maintained in /etc/hosts.deny
BLOCK_SERVICE = ALL
I’ve set this to “ALL” because if any user is attempting malicious entry to the system,I want all potential avenues of damage to be cut-off instantly. Bans can easily be lifted,a compromised system could rob you of a lifetime of work and effort.
DENY_THRESHOLD_INVALID = 1
I’ve set this value to 1 attempt for a user without an account on the system attempting to login, they obviously have no right even trying to login so they should be blocked immediately.
DENY_THRESHOLD_VALID = 3
I’ve set known user login attempts to 3 for increased security in a login/pass scenario. For added security you can restrict access only to users with the proper ssh id_dsa or id_rsa keys. (see fedorasolved.org for more info on setting this up.)
DENY_THRESHOLD_ROOT = 1
Since i’ve set my sshd_config to refuse root logins, I want this set to only 1 attempt at root login before the offending IP is banned since no one should be logging in as root.
DENY_THRESHOLD_RESTRICTED = 1
This refers to /var/lib/denyhosts/hosts-restricted, I don’t want these people logging in at all so i set the failed threshold to 1 attempt before banning the IP.
WORK_DIR = /var/lib/denyhosts
This defines the working directory for Denyhosts
This (YES) setting monitors all IPs (even allowed IPs) for suspicious connections or attempts and logs/reports this activity for investigation.
This setting allows for hostname lookup on all IPs reported by denyhosts.
ADMIN_EMAIL = email@example.com
put the email address here you want mailed when new IP entries are added.
This section refers to /var/lib/denyhosts/allowed-hosts file, which adds in a hostname lookup into the log entry.
This section refers to resetting the allowed login attempts to 0 for valid users on the system after being locked out or using any of the 3 given attempts in the “DENY_THRESHOLD_VALID” variable above. Currently, this is set to reset to 0 after 5 minutes of inactivity (i.e. logging into the system).
This essentially is another step to make *sure* a specific banned IP *stays* banned.
This section refers to login attempts made by the IPs listed in the /var/lib/denyhosts/hosts-restricted file. This lets us specify a time period after which the login attempts defined in the variable DENY_THRESHOLD_RESTRICTED is reset to 0 failed attempts.
Same as DENY_THRESHOLD_RESTRICTED above but for the variable DENY_THRESHOLD_INVALID which defines login attempts by usernames nonexistent on the system.
RESET_ON_SUCCESS = yes
This basically tells us if a valid user on the system accidentally fails logging in twice but then has success on the third attempt that we should immediately reset his faulty login attempt threshold to 0 again. (even admins forget login).
# service denyhost start
#chkconfig denyhost on