Block SSH Server Attacks (Brute Force Attacks) Using DenyHosts

DenyHosts is an open source and free log-based intrusion prevention security program for SSH servers developed in Python language by Phil Schwartz. It is intended to monitor and analyzes SSH server logs for invalid login attempts, dictionary based attacks and brute force attacks by blocking the originating IP addresses by adding an entry to /etc/hosts.deny file on the server and prevents the IP address from making any further such login attempts.

Block SSH attacks
Install DenyHosts to Block SSH Attacks

DenyHosts is much needed tool for all Linux based systems, specially when we are allowing password based ssh logins. In this article we are going to show you how to install and configure DenyHosts on RHEL 6.3/6.2/6.1/6/5.8, CentOS 6.3/6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12 systems using epel repository.

See also :

  1. Fail2ban (Intrusion Prevention) System for SSH
  2. Disable or Enable SSH Root Login
  3. Linux Malware Detect (LMD)

Installing DenyHosts in RHEL, CentOS and Fedora

By default DenyHosts tool is not included in the Linux systems, we need to install it using third party EPEL repository. Once added repository, install the package using following YUM command.

# yum --enablerepo=epel install denyhosts
# yum install denyhosts

Configuring DenyHosts for Whitelist IP Addresses

Once the Denyhosts installed, make sure to whitelist your own IP address, so you will never get locked out. To do this, open a file /etc/hosts.allow.

# vi /etc/hosts.allow

Below the description, add the each IP address one-by-one on a separate line, that you never want to block. The format should be as follows.

# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers

Configuring DenyHosts for Email Alerts

The main configuration file is located under /etc/denyhosts.conf. This file is used to send email alerts about suspicious logins and restricted hosts. Open this file using VI editor.

# vi /etc/denyhosts.conf

Search for the ‘ADMIN_EMAIL‘ and add your email address here to receive email alerts about suspicious logins (for multiple email alerts use comma separated). Please have a look at the configuration file of my CentOS 6.3 server. Each variable is well documented so configure it according to your liking.

############ DENYHOSTS REQUIRED SETTINGS ############
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
WORK_DIR = /var/lib/denyhosts
LOCK_FILE = /var/lock/subsys/denyhosts

############ DENYHOSTS OPTIONAL SETTINGS ############
ADMIN_EMAIL = [email protected]
SMTP_HOST = localhost
SMTP_FROM = DenyHosts <[email protected]>
SMTP_SUBJECT = DenyHosts Daily Report

############ DENYHOSTS OPTIONAL SETTINGS ############
DAEMON_LOG = /var/log/denyhosts

Restarting DenyHosts Service

Once you’ve done with your configuration, restart the denyhosts service for new changes. We also add the denyhosts service to system start-up.

# chkconfig denyhosts on
# service denyhosts start

Watch DenyHosts Logs

To watch denyhosts ssh logs for how many attackers and hackers are attempted to gain access to your server. Use the following command to view the real-time logs.

# tail -f /var/log/secure
Nov 28 15:01:43 tecmint sshd[25474]: Accepted password for root from port 4339 ssh2
Nov 28 15:01:43 tecmint sshd[25474]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 28 16:44:09 tecmint sshd[25474]: pam_unix(sshd:session): session closed for user root
Nov 29 11:08:56 tecmint sshd[31669]: Accepted password for root from port 2957 ssh2
Nov 29 11:08:56 tecmint sshd[31669]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session opened for user root by (uid=0)
Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session closed for user root
Nov 29 11:26:42 tecmint sshd[31669]: pam_unix(sshd:session): session closed for user root
Nov 29 12:54:17 tecmint sshd[7480]: Accepted password for root from port 1787 ssh2

Remove Banned IP Address from DenyHosts

If you’ve ever blocked accidentally and want to remove that banned IP address from the denyhosts. You need to stop the service.

# /etc/init.d/denyhosts stop

To remove or delete banned IP address completely. You need to edit the following files and remove the IP address.

# vi /etc/hosts.deny
# vi /var/lib/denyhosts/hosts
# vi /var/lib/denyhosts/hosts-restricted
# vi /var/lib/denyhosts/hosts-root
# vi /var/lib/denyhosts/hosts-valid
# vi /var/lib/denyhosts/users-hosts

After removing the banned IP Address, restart the service again.

# /etc/init.d/denyhosts start

The offending IP address added to all the files under /var/lib/denyhosts directory, so it’s makes very difficult to determine the which files contain the offending IP address. One of the best way to find out the IP address using grep command. For example to find out IP address, do.

cd /var/lib/denyhosts
grep *

Whitelist IP Addresses Permanently in DenyHosts

If you’ve list of static IP address that you want to whitelist permanently. Open the file /var/lib/denyhosts/allowed-hosts file. Whatever IP address included in this file will not be banned by default (consider this as a whilelist).

# vi /var/lib/denyhosts/allowed-hosts

And add the each IP address on separate line. Save and close the file.

# We mustn't block localhost
If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

17 thoughts on “Block SSH Server Attacks (Brute Force Attacks) Using DenyHosts”

  1. Hi All

    Can we block multiple services on denyhosts like BLOCK_SERVICE = sshd,proftpd and also can these block public IP’s as well.


    • @Chacko,
      Using DenyHosts, you can only block SSH attacks, but if you want to block other services such as ftp, mail, etc, you can use xinetd functionality called hosts.deny.

  2. Password crackers are using automated scripts to target websites to hack the passwords and Brute Force Attacks have become a common thing, but many don’t know the concept behind it and how these attacks are so successful at cracking the passwords of the websites.

    The easiest method to block such attacks is by blacklisting the IPs that carry out such abuses, many hosting providers have added Brute Force Attacks protection in their added security features.

    For more information about these attacks read:

  3. HI All,

    Every day morning iptables rules would be automatically flushed. I dont know how,,,

    Please help me to resolve this issue.

  4. Very Nice article. I have one suggestion. This article work just fine for Ubuntu 12.04 Server, except installation which can be done with

    sudo apt-get install denyhosts

    So i recomment just add Ubuntu to the list. And add the installation method.

  5. Hi, am using CentOS release 5.7 (Final), i can’t install denyhosts with yum, provided i have enabled epel repo and logged in as root.

    when i run #yum install denyhosts

    it gives,
    “Setting up Install Process
    No package denyhosts available.
    Nothing to do”

    what is the problem here. pls advice.

  6. I do trust all of the concepts you’ve offered to your post. They’re really convincing and will certainly work. Still, the posts are too brief for newbies. May you please prolong them a bit from next time? Thanks for the post.


Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.