How to Install DenyHosts on Centos 7

DenyHosts is an open source software developed in Python language by Phil Schwartz. It is mainly designed to monitor and analyze SSH server logs for invalid login attempts, dictionary-based attacks, and brute force attacks by blocking the originating IP addresses by adding it to the /etc/hosts.deny file on the server and thereby preventing the IP address from making any further such login attempts. Due to its simplicity and the ability to manually configure the rules, it is widely used as an alternative to Fail2ban which is a bit more complicated to use and configure.

In this tutorial, I will show you how to install and configure DenyHosts on your CentOS 7 server by different means.

Read alsoHow to Use Fail2ban/Client on CentOS 7

Prerequisites

Before proceeding with the installation we need to assure that our system meets all the software requirements for compiling and installing the application. And also it should be configured with a Static IP address. The DenyHosts software depends on the "ipaddr" Python module.  On the first step, update your system repositories and software packages including the python module by issuing the below commands.

#yum update
#yum install python-ipaddr -y

1. Installing DenyHosts from the Epel Repository

We need to install this package using the Epel repository, use the following command to install it.

#yum install epel-release
#yum install denyhosts -y

Configuring Denyhosts

Once the Denyhosts installed, you need to add your IP to the IP Allow list to make sure that your own IP address is whitelisted, so you will never get locked out.

# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd: 37.217.142.41
sshd: 37.217.142.42
sshd: 37.217.142.43
sshd: 37.217.142.44

Next, you need to blacklist all the required IP addresses which you want to block. We can confirm that our IP address is not on the blacklist as well.

# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd: 78.189.206.37
sshd: 121.14.27.58
sshd: 1.246.228.161
sshd: 103.89.89.47
sshd: 116.29.148.2
# DenyHosts: Tue Jan 9 10:16:15 2018 | sshd: 222.186.174.81
sshd: 222.186.174.81
# DenyHosts: Tue Jan 9 10:40:46 2018 | sshd: 217.61.20.181
sshd: 217.61.20.181
# DenyHosts: Tue Jan 9 13:15:53 2018 | sshd: 112.86.117.182
sshd: 112.86.117.182

Enabling DenyHosts Service

Once configured it as required, we can enable and start our DenyHosts service with the commands below:

# systemctl enable denyhosts
# systemctl start denyhosts

# systemctl status denyhosts
● denyhosts.service - SYSV: Activates/Deactivates the
Loaded: loaded (/etc/rc.d/init.d/denyhosts; bad; vendor preset: disabled)
Active: active (running) since Wed 2018-01-10 06:47:54 UTC; 3h 57min ago
Docs: man:systemd-sysv-generator(8)
Process: 30660 ExecStart=/etc/rc.d/init.d/denyhosts start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/denyhosts.service
└─30665 python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf

Jan 10 06:47:54 li226-12.members.linode.com systemd[1]: Starting SYSV: Activates/Deactivates the...
Jan 10 06:47:54 li226-12.members.linode.com denyhosts[30660]: starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf
Jan 10 06:47:54 li226-12.members.linode.com systemd[1]: Started SYSV: Activates/Deactivates the.

Configuring Email Alerts in DenyHosts

We can set email alerts about suspicious logins and restricted hosts by making changes in a DenyHosts configuration file. You can add your email address to the variable ADMIN_EMAIL in the configuration file /etc/denyhosts.conf to receive email alerts about suspicious logins. You can add any number of email addresses to the variable, just make sure to separate it using commas. Here I've added my email address [email protected] to alert me of any attacks.

admin email

You need to restart the DenyHosts service after making any changes to the configuration files.

Removing Banned IPs

You can monitor denyhosts ssh logs to see how many attackers and hackers are attempting to gain access to your server. You can use the following command to view the real-time logs.

# tail -f /var/log/secure
Jan 10 10:56:43 li226-12 sshd[2096]: refused connect from 222.186.43.6 (222.186.43.6)
Jan 10 10:57:08 li226-12 sshd[2102]: refused connect from 222.186.43.6 (222.186.43.6)
Jan 10 10:57:43 li226-12 sshd[2113]: refused connect from 222.186.43.6 (222.186.43.6)
Jan 10 10:59:17 li226-12 sshd[2133]: refused connect from 222.186.43.6 (222.186.43.6)

It's evident that our server is trying to refuse connection from the IP 222.186.43.6 from these logs. Let's see the steps to remove this IP from the blacklist.

We need to check for this IP entry in /etc/hosts.deny file and  all those custom deny files created with denyhosts. We can remove the IP entry from all of them as below:

# nano /etc/hosts.deny
# nano /var/lib/denyhosts/hosts
# nano /var/lib/denyhosts/hosts-restricted
# nano /var/lib/denyhosts/hosts-root
# nano /var/lib/denyhosts/hosts-valid
# nano /var/lib/denyhosts/users-hosts

I could notice this entry in my hosts.deny file.

# DenyHosts: Wed Jan 10 03:40:07 2018 | sshd: 222.186.43.6
sshd: 222.186.43.6

I removed this entry and restarted denyhosts service to confirm its working!

2. Installation from Github Repo and Source Distribution

We can either download the Github Repository or download the latest DenyHosts source distribution and compile it from these source packages. Let's see the how I install denyhosts from the Github Repo.

#yum install git
# git clone https://github.com/denyhosts/denyhosts
Cloning into 'denyhosts'...
remote: Counting objects: 1353, done.
remote: Total 1353 (delta 0), reused 0 (delta 0), pack-reused 1353
Receiving objects: 100% (1353/1353), 263.93 KiB | 0 bytes/s, done.
Resolving deltas: 100% (899/899), done.

After downloading the files from the Github, we need to install it. You can install it by issuing this command from the denyhosts folder as below:

#cd denyhosts
#python setup.py install

This will install the DenyHosts modules into python's site-packages directory.

Similarly, from a source distribution you can download latest Denyhosts and install it as explained above. Rest of the configuration steps are same in both these cases.

Configuring Denyhosts

After the installation, you can copy the sample configuration file denyhosts.conf created under the installation folder which contains most of the possible settings to the /etc folder. The configuration file contains various settings along with their description that should help you quickly configure DenyHosts. After you have edited your configuration file, save it.

# cp -rp denyhosts.conf /etc/

Next, we need to copy the sample daemon-control.dist script as such to daemon-control and modify the recommended section as per your configuration file location.

#cp daemon-control-dist daemon-control
#chmod 700 daemon-control

Now we can edit the daemon-control file. You should only need to edit this section near the top as below. I edited this section as my configuration paths.

###############################################

###############################################
#### Edit these to suit your configuration ####
###############################################

DENYHOSTS_BIN = "/usr/bin/denyhosts.py"
DENYHOSTS_LOCK = "/var/run/denyhosts.pid"
DENYHOSTS_CFG = "/etc/denyhosts.conf"

PYTHON_BIN = "/usr/bin/env python"

#########################################

These defaults should be reasonable for many systems. But I recommend you to customize these settings to match your particular system. Once you have edited the configuration and daemon control files make sure to restrict the daemon control script execution to root.

Starting DenyHosts Manually

After setting up Denyhosts to run as daemon with our daemon control script, you can start it manually from there by just running this command from the installation folder.

# ./daemon-control start
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf

You can refer to the daemon log (/var/log/denyhosts) to ensure that DenyHosts is running successfully. You can refer to this FAQ link for any problems and questions concerning this software.

In addition, you can start DenyHosts manually is to run it from the command line using Python just like this mentioning the common parameters like its binary file location and configuration file.

# python /usr/bin/denyhosts.py --config /etc/denyhosts.conf --daemon
# ps aux | grep denyhosts
root 25650 0.0 1.0 216116 10740 ? S 09:44 0:00 python /usr/bin/denyhosts.py --config /etc/denyhosts.conf --daemon
root 25656 0.0 0.2 112668 2200 pts/0 S+ 09:44 0:00 grep --color=auto denyhosts

The above command launches DenyHosts and runs it in the background.

Starting Denyhosts Automatically

We can set cronjobs to start Denyhosts automatically on startup. Or we can create a symbolic link from /etc/init.d as below:

# cd /etc/init.d
# ln -s /root/denyhosts/daemon-control denyhosts
# ll | grep denyhosts
lrwxrwxrwx 1 root root 30 Jan 10 04:48 denyhosts -> /root/denyhosts/daemon-control

Now we can manage  this service from the normal systemctl command.

# systemctl enable denyhosts
denyhosts.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig denyhosts on

# systemctl start denyhosts
# systemctl status denyhosts
● denyhosts.service - SYSV: Activates/Deactivates the
Loaded: loaded (/etc/rc.d/init.d/denyhosts; bad; vendor preset: disabled)
Active: active (exited) since Thu 2018-01-11 09:57:53 UTC; 2s ago
Docs: man:systemd-sysv-generator(8)
Process: 25876 ExecStart=/etc/rc.d/init.d/denyhosts start (code=exited, status=0/SUCCESS)

Wrapping up

In this article, I've discussed how to install and configure DenyHosts on our CentOS 7 server. This tool can be easily configured and it also supports email, SMTP, and syslog notifications. This application is an excellent solution to defend SSH server attacks like dictionary based attacks and brute force attacks. I hope this article is useful for you. Please post your valuable comments and suggestions on this.

Saheetha Shameer 4:45 am

About Saheetha Shameer

I'm working as a Senior System Administrator. I'm a quick learner and have a slight inclination towards following the current and emerging trends in the industry. My hobbies include hearing music, playing strategy computer games, reading and gardening. I also have a high passion for experimenting with various culinary delights :-)

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

4 Comments

    1. Epel 7 packages are now available on the default CentOS 7 repository, it can be installed by just using this simple command:
      yum install epel-release

      I hope this helps! Thank you!

    1. If you are using VPN, then I would recommend securing your server by limiting SSH access from your VPN alone.