Using DenyHosts

Modified: 05 Jan 2015 18:04 UTC

You can install DenyHosts to help prevent SSH server attacks (also known as dictionary-based or brute-force attacks). DenyHosts runs as a service that watches for multiple failed login attempts from an IP address and then locks out that IP once it reaches the login threshold.

You can sync from public servers that block attacks from known malicious IP addresses.
At a Glance

How to run DenyHosts on a SmartMachine.

To configure DenyHosts for your SmartMachine: 

You can run DenyHosts manually, as a daemon or as a cron job.
  1. SSH into your SmartMachine and run this command:
    pkgin in py27-denyhosts
    
  2. Open the configuration file for edit:
    /opt/local/etc/denyhosts.conf
    
  3. Locate the following section:
    # Mandrake, FreeBSD or OpenBSD:
    \#SECURE_LOG = /var/log/auth.log
    \#
    # NetBSD:
    SECURE_LOG = /var/log/authlog
    
  4. Remove the comment from the first SECURE_LOG line and add a comment to the second SECURE_LOG line:
    # Mandrake, FreeBSD or OpenBSD:
    SECURE_LOG = /var/log/auth.log
    \#
    # NetBSD:
    \#SECURE_LOG = /var/log/authlog
    

    This will ensure DenyHosts is looking at the right logfile.

  5. Enable DenyHosts:
    svcadm enable denyhosts
    
  6. Verify DenyHosts is running:
    svcs -a | grep denyhosts
    

If successful, you should see something similar to this:

online 22:57:04 svc:/network/denyhosts:default

This will block any host with failed logins that exceed the thresholds set in the configuration file.

You can modify the configuration file to adjust the default thresholds for various failed logins (invalid user, valid user, root).