Denyhosts is another utility similar to fail2ban. It parses log files to identify potential attacks against SSH services. A clear advantage that Denyhosts has over fail2ban is the synchronisation mechanism since version 2.0. Denyhosts permits communication with a central server to exchange information about denied hosts by other Denyhosts daemons. However unlike fail2ban, it does not modify any firewall (iptables) rules, instead it relies on tcpwrapper and the hosts.deny file to block ssh access. Fail2ban also offers the advantage of monitoring other services and logs, whereas Denyhosts is specific to SSH. There are other utilities which use tcpwrapper such which can handle additional services.
To install Denyhost using yum, ensure that the EPEL repository is installed and enabled (refer to old post albeit an older version).
Installation and configuration
- vi /etc/hosts.allow # whitelist any trusted hosts and/or networks
- yum install denyhosts # install the denyhosts package
- vi /etc/denyhosts.conf # change to suit, the file is well documented
- chkconfig denyhosts –level 2345 on # set runlevels to start daemon on
- service denyhosts start # manually start the daemon
- tail /var/log/denyhosts # confirm daemon started successfully
I wrote a small (single use) script to generate a set of iptables rules from the tcpwrapper hosts.deny file to drop traffic from denied hosts.
for A in `egrep -v ‘^#’ /etc/hosts.deny | tr -d ‘\t’ | tr -d ‘ALL:’ | grep ‘[0-9]'`
echo “/sbin/iptables -I -s $A -j DROP"