DenyHosts: Remove / Delete an IP address

by Vivek Gite on August 17, 2009 · 9 comments

I've followed your guide and installed denyhosts to protect on my RedHat 5.3 OpenSSH based server. However, I've been accidentally blocked out from my home ADSL IP address. I tried removing my blocked IP from /etc/hosts.deny, but it did blocked it again quickly. It appears that DenyHosts keeps track of the attempts somewhere on disk or memory. How do I remove my own home IP address from DenyHosts?

Simply removing your IP from /etc/hosts.deny does not work since DenyHosts keeps track of the attempts in the /usr/share/denyhosts/data directory. In order to remove your IP address you will need to do the following.

Step # 1: Stop DenyHosts

# /etc/init.d/denyhosts stop

Step # 2: Remove Your IP From /etc/hosts.deny

# vi /etc/hosts.deny
Delete your IP address. Save and close the file.

Step # 3: Remove Your IP From /usr/share/denyhosts/data Directory

Cd to /usr/share/denyhosts/data
# cd /usr/share/denyhosts/data
You need to edit the following files using vi and remove the lines containing the IP address. Save the file.

hosts
hosts-restricted
hosts-root
hosts-valid
users-hosts

If you've static IP address add to allowed-hosts file. Any IP address that appears in this file will not be blocked by default (consider this as a whilelist):
# echo '1.2.3.4' >> allowed-hosts

Step # 4: Start DenyHosts

# /etc/init.d/denyhosts start

Recommend Readings:

Featured Articles:

Share this with other sys admins!
Facebook it - Tweet it - Print it -

{ 9 comments… read them below or add one }

1 excalibur August 18, 2009

BTW, /etc/init.d/denyhosts does not seem to exist in CentOS 5.3 Not sure why, even though this post is for RH already.

2 Vivek Gite August 18, 2009

@excalibur,

I’ve tested this with RPM installed from dag’s repo.

3 excalibur August 18, 2009

@vivek,

Oh, that explains. I haven’t installed any RPM’s :)
Thanks.

4 excalibur August 18, 2009

@vivek,

Moreover, I’ve always counted on IPtables & CSF for blocking hosts, guess they are less hassle than hostsallow/deny in a way.

5 michael December 7, 2009

Nice. I use a custom script for this though.

It is actually really simple..
HOST=192.x.x.x
service denyhosts stop
mv /etc/hosts.deny /tmp
cd /var/lib/denyhosts
for i in `ls`; do mv $i $i.old; grep -v “$HOST” $i.old >> $i; done
grep -v $HOST /tmp/hosts.deny >> /etc/hosts.deny
service denyhosts start

6 michael December 7, 2009

Nice. I use a custom script for this though.

7 vita December 9, 2011: the above script has some errors.
1. instead of mv *.old should be rm *.old
2. take care of the quotation marks “” in copy and paste
the problem is in “$HOST” –> “$HOST”
Reply

8 thefixer December 7, 2010

this doesnt work, it stil keeps adding my ip to the hosts.deny even tho I followed your intructions

9 Danny @ Polonious September 27, 2011

here is the script to allow the ip, it’s based on the above article and should work on centos/redhat.

set -o nounset
if [ $# -ne 1 ]; then
	echo "please input an allowed ip address"
	exit 1
fi
alloweHost=$1
echo "stop denyhosts"
service denyhosts stop
currentTime=$(date +%Y-%m-%d-%H%M)
echo "delete existing entries in blacklist"
if [ -n "$(grep $allowedHost /etc/hosts.deny)" ]; then
  mv /etc/hosts.deny /etc/hosts.deny.bak.${currentTime}
  grep -v ${allowedHost} /etc/hosts.deny.bak.${currentTime} > /etc/hosts.deny
fi
cd /usr/share/denyhosts/data
for f in `ls hosts* users-hosts`; do
  if [ -n "$(grep $allowedHost $f)" ]; then
	mv ${f} ${f}.bak.${currentTime}
	grep -v ${allowedHost} ${f}.bak.${currentTime} > ${f}
  fi
done
echo "add allowed ip in whitelist"
if [ -z "$(grep $allowedHost /etc/hosts.allow)" ]; then
  echo "sshd: ${allowedHost}" >>/etc/hosts.allow
fi
if [ -z "$(grep $allowedHost allowed-hosts)" ]; then
  echo "${allowedHost}"  >>allowed-hosts
fi
service denyhosts start
exit 0