I‘ve noticed lots of failed login attempt for my Debian Linux VPS root server account. How do I stop automated bot based SSH attacks on my server?

You can use DenyHosts – a Python based script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It is an utility to help sys admins thwart ssh crackers. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. It will automatically blocks ssh attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.

Step # 1: Make Sure Python is installed

First, make sure python is installed under Debian / Ubuntu Linux:
# dpkg --list | grep python2
Find out version (DenyHosts requires 2.3 or above version)
$ python -V
Python 2.5.1

Step # 2: Download DenyHosts

Visit official project home page to grab latest source code or packages. Use apt-get command under Debian / Ubuntu Linux, enter
$ sudo apt-get install denyhosts

DenyHosts configuration – /etc/denyhosts.conf

  1. The default configuration file is /etc/denyhosts.conf.
  2. You also need to create / update a whitelist in /etc/hosts.allow. For example, if you have static IP assigned by ISP, enter in this file. You can add all the important hosts that you never want blocked.

Step # 1: Setup a whitelist

Open /etc/hosts.allow:
# vi /etc/hosts.allow
Allow sshd from i.e. you never want to block yourself
Save and close the file. Verify and examines your tcp wrapper configuration file and reports all potential and real problems:
# tcpdchk -v

Step # 1: Configure DenyHosts

Open default configuration file – /etc/denyhosts.conf, enter:
# vi /etc/denyhosts.conf
Setup your email ID so you would receive emails regarding newly restricted hosts and suspicious logins, set this address to match your email address.
ADMIN_EMAIL = vivek@nixcraft.com
Save and close the file. Here is my own sample configuration file for Debian Linux 4.0 server (config file is documented very well, just open and read it):

############ THESE SETTINGS ARE REQUIRED ############
SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
WORK_DIR = /var/lib/denyhosts
LOCK_FILE = /var/run/denyhosts.pid
############ THESE SETTINGS ARE OPTIONAL ############
ADMIN_EMAIL = vivek@nixcraft.org
SMTP_HOST = localhost
SMTP_FROM = DenyHosts <webmaster@cyberciti.com>
SMTP_SUBJECT = DenyHosts Report
DAEMON_LOG = /var/log/denyhosts

Restart the daemon:
# /etc/init.d/denyhosts restart

See Also:

Further readings:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 11 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
11 comments… add one
  • kunal Feb 13, 2008 @ 6:10

    Locking out IP’s after multiple failed sshd login attempts

    The following two rules will limit incoming connections to port 22 to no more than 3 attempts in a minute – an more than that will be dropped:

    iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set
    iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP

  • NoPremium.org Apr 13, 2008 @ 17:43

    thanks a lot

  • LQman Apr 19, 2008 @ 22:08


    You may need to install fail2ban package.
    It’s so simple script that work like your description above.

    • Yarg Feb 24, 2012 @ 5:07

      Like LQman says
      apt-get install fail2ban
      By default it automatically bans IPs after 6 failed login attempts within 5 min for 5 min. If you use “PermitRootLogin no” for your ssh server there is little chance of anybody guessing both username & password. It also works for any other connection and has default configs for most services.

  • budacsik Sep 21, 2008 @ 11:31

    sshdfilter also good :)
    It use iptables.

  • Mehdi Jul 28, 2009 @ 10:54

    Thanks a lot for the info.
    You’d be surprised if you looked at /var/log/auth.log file as I was.

    I found a little widget that you can run to grep the IP addresses of intruders;
    grep ‘from’ /var/log/auth.log|cut -d ‘ ‘ –field=13|uniq -c|sort -nr > ct-result.txt

    Here I put the result from column 13th into a text file called ct-result.txt
    you can see most of the IP addresses which were trying to break in.
    sometimes it is the 14th column so I have not found a perfect way to grab all the IP addresses yet, if anyone has a better idea please post.

    In any case I also get the result and put them in my hosts.deny file under /etc/
    (again I have problem as to How to input these IP addresses in hosts.deny file, some say you have to put a slash at the end of the IP addresses? Not sure?)
    (these are actual chinese addresses trying to hack my system lol) :D
    Many Thanks for the info.
    I am going to test denyhost program on my workstation now.

  • Al B.. Jan 27, 2010 @ 14:48

    I did the same thing as Mehdi using a cron.hourly\perl script…. then I used UFW to deny the host IP. I wish I knew about this article earlier….

  • rohit Aug 12, 2010 @ 3:00

    but i can’t get that.

  • Tapas Mishra Oct 21, 2010 @ 15:06

    Well the above command
    tcpdchk -v gives me an error

    Cannot find your inetd.conf or tlid.conf file.
    Please specify its location.

  • Sam Tuke May 27, 2011 @ 14:17

    For the rest of us whose ISPs allocate dynamic IP ranges, to ensure that you yourself never get blocked by denyhosts define IP ranges in hosts.allow like this:


    Also remember that if you use key authentication to login rather than passwords then you are unlikely to ever supply incorrect details, and therefore should not be at risk of ever blocking yourself, even if you don’t specify your IP in hosts.allow.

  • Robert May 7, 2013 @ 8:46

    Well, what if your own IP address is dynamic? Then the entire DenyHosts becomes a piece of useless garbage?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum