How to Block Brute Force SSH with DenyHosts

DenyHosts is open source software that helps block brute force attacks with SSH login to help protect your Linux Server more securely. This is a fairly lightweight Tool and very simple to use, just exceed the number of incorrect logins, that IP will be blocked, unable to detect Key, Password SSH.

DenyHosts monitors and analyzes SSH Logs for false logins, dictionary-based attacks, and attacks. brute force attack by blocking the original IP addresses and adding an entry to the file /etc/hosts.deny on the server and prevent the IP address from making any further login attempts.

DenyHosts is a very essential tool for all Linux based systems, especially when we allow ssh login to remote Linux servers.

In this article, I will show you how to install and configure DenyHosts on RHEL-based Linux distributions like Fedora, CentOS, Rocky Linux, and AlmaLinux.

How to Install DenyHosts in Linux

By default, the DenyHosts tool is not built-in to the Linux system, we need to install it using a third-party EPEL repository. After adding the repository, install the DenyHosts package using the following yum command.

# yum install epel-release
# yum install denyhosts

Configure DenyHosts for IP addresses in Whitelist

After installing Denyhosts, make sure to whitelist your own IP address, so that it never gets blocked. To do this, open the file /etc/hosts.allow.

# vi /etc/hosts.allow

Below the description, add each IP address in a separate line that you don’t want to block.

#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 172.16.25.125
sshd: 172.16.25.126
sshd: 172.16.25.127

Configure DenyHosts for email alerts

The main configuration file is located in /etc/denyhosts.conf. This file is used to send email notifications about suspected logins. Open this file with an editor vi.

# vi /etc/denyhosts.conf

Find the line ‘ADMIN_EMAIL’ and add your email address here to receive email notifications of suspicious logins (for multiple emails, use commas). Each variable is fully documented so configure it to your liking.

############ DENYHOSTS REQUIRED SETTINGS ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts

############ DENYHOSTS OPTIONAL SETTINGS ############
ADMIN_EMAIL = [email protected]
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <[email protected]>
SMTP_SUBJECT = DenyHosts Daily Report

############ DENYHOSTS OPTIONAL SETTINGS ############
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h

Restart the DenyHosts service

When you’re done with the configuration, reboot denyhosts. We also add denyhosts into startup.

# chkconfig denyhosts on
# service denyhosts start

View DenyHosts logs

To view the diary denyhosts how many attackers and hackers are trying to access your server. Please use the following command:

# tail -f /var/log/secure

Nov 28 15:01:43 tecmint sshd[25474]: Accepted password for root from 172.16.25.125 port 4339 ssh2
Nov 28 15:01:43 tecmint sshd[25474]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 28 16:44:09 tecmint sshd[25474]: pam_unix(sshd:session): session closed for user root
Nov 29 11:08:56 tecmint sshd[31669]: Accepted password for root from 172.16.25.125 port 2957 ssh2
Nov 29 11:08:56 tecmint sshd[31669]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session closed for user root
Nov 29 11:26:42 tecmint sshd[31669]: pam_unix(sshd:session): session closed for user root
Nov 29 12:54:17 tecmint sshd[7480]: Accepted password for root from 172.16.25.125 port 1787 ssh2

Remove blocked IP address from DenyHosts

If you want to remove that blocked IP address from denyhosts. You need to stop the tool.

# /etc/init.d/denyhosts stop

To remove or completely remove blocked IP address. You need to edit the following files and remove the IP address.

# vi /etc/hosts.deny
# vi /var/lib/denyhosts/hosts
# vi /var/lib/denyhosts/hosts-restricted
# vi /var/lib/denyhosts/hosts-root
# vi /var/lib/denyhosts/hosts-valid
# vi /var/lib/denyhosts/users-hosts

After removing the blocked IP address, restart the service.

# /etc/init.d/denyhosts start

The offending IP address has been added to all files in the directory /var/lib/denyhosts, so it is difficult to determine which file contains the offending IP address. One of the best ways to find out the IP address is to use the grep command. Example to find out IP address 172.16.25.125:

cd /var/lib/denyhosts
grep 172.16.25.125 *

Permanently whitelist IP addresses in DenyHosts

If you have a list of static IP addresses that you want to whitelist permanently. Please open the file /var/lib/denyhosts/allowed-hosts. Any IP addresses contained in this file will not be blocked by default.

# vi /var/lib/denyhosts/allowed-hosts

And add each IP address on each line separately. Then save and close the file.

# We mustn't block localhost
127.0.0.1
172.16.25.125
172.16.25.126
172.16.25.127