How to install denyhosts on Ubuntu Linux 16.04 LTS ( intrusion prevention security tool )

Author: Last updated: February 12, 2017 6 comments
I host my blog in cloud server, and I set up ssh to manage my Ubuntu Linux 16.04 LTS server. However, I noticed lots of break in and brute-force attacks on my ssh server? How can I stop hacking attempts into my system?

You need to use DenyHosts which is a log-based intrusion prevention security tool for SSH servers written in Python. It is designed to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses using /etc/hosts.deny and iptables on Linux server. In this tutorial, you will learn how to install DenyHosts a python program that automatically blocks ssh attacks by adding entries to /etc/hosts.deny file.

ADVERTISEMENTS

Step 1 – Install denyhosts

Type the following apt-get command or apt command to install denyhosts on a Ubuntu Linux:
$ sudo apt-get install denyhosts
OR
$ sudo apt install denyhosts
Sample outputs:

Fig.01: How To Install DenyHosts On Ubuntu or Debian Linux Server

Fig.01: How To Install DenyHosts On Ubuntu or Debian Linux Server

Step 2 – White list your own IP address

Edit the /etc/hosts.allow file, and add your client IP address. This ensures that you are not blocked accidentally:
$ sudo vi /etc/hosts.allow
The syntax is as follows:

sshd: whitelist-ip1, whitelist-ip2, ...., whitelist-ipN

For example, white list 202.54.1.1 and 203.54.2.3, enter:

sshd: 202.54.1.1 , 203.54.2.3

Save and close the file.

Step 3 – Configure denyhosts using /etc/denyhosts.conf

In a Debian or Ubuntu Linux based system, the default running mode is daemon mode and the configuration file is /etc/denyhosts.conf:
$ sudo vi /etc/denyhosts.conf
Make sure SECURE_LOG set as follows:

SECURE_LOG = /var/log/auth.log

HOSTS_DENY set as follows:

HOSTS_DENY = /etc/hosts.deny

To block only sshd:

BLOCK_SERVICE  = sshd

Set deny threshold limit for login attempts:

DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1

To block incoming connections using the Linux firewall IPTABLES:

IPTABLES = /sbin/iptables

Save and close the file.

Restart the denyhosts service

Type the following command on Ubuntu Linux 16.04 LTS or newer:
$ sudo systemctl restart denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, enter:
$ sudo /etc/init.d/denyhosts restart

Enable the denyhosts service on Ubuntu Linux 16.04 LTS on boot time

Type the following command:
$ sudo systemctl enable denyhosts.service
Sample outputs:

Synchronizing state of denyhosts.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install enable denyhosts

Step 4 – Watch for /var/log/denyhosts log file for errors

Type the following grep command:
$ sudo grep 'something' /var/log/denyhosts
OR tail command:
$ sudo tail -f /var/log/denyhosts
Sample outputs:

2017-02-10 18:23:37,811 - denyhosts   : INFO     restricted: set([])
2017-02-10 18:23:37,812 - AllowedHosts: WARNING  Couldn't load warned hosts from /var/lib/denyhosts/allowed-warned-hosts
2017-02-10 18:23:37,812 - denyhosts   : INFO     launching DenyHosts daemon (version 2.10)...
2017-02-10 18:23:37,813 - denyhosts   : INFO     DenyHost daemon is now running, pid: 25774
2017-02-10 18:23:37,813 - denyhosts   : INFO     send daemon process a TERM signal to terminate cleanly
2017-02-10 18:23:37,813 - denyhosts   : INFO       eg.  kill -TERM 25774
2017-02-10 18:23:37,814 - denyhosts   : INFO     monitoring log: /var/log/auth.log
2017-02-10 18:23:37,814 - denyhosts   : INFO     sync_time: 3600
2017-02-10 18:23:37,814 - denyhosts   : INFO     purging of /etc/hosts.deny is disabled
2017-02-10 18:23:37,814 - denyhosts   : INFO     denyhost synchronization disabled

Step 5 – How to see a list of blocked hosts

Type the following cat command:
$ sudo cat /etc/hosts.deny
Sample outputs:

Fig.02: How to see a list of IP address blocked by DenyHosts on Linux or Unix

Fig.02: How to see a list of IP address blocked by DenyHosts on Linux or Unix

Please note that the DenyHosts is restricted to connections using IPv4. It does not work with IPv6 based IP address. Another option is to use the iptables command to see blocked IP address:
$ sudo iptables -L INPUT -n -v
$ sudo iptables -L INPUT -n -v | more
$ sudo iptables -L INPUT -n -v | grep DROP
Sample outputs:

Chain INPUT (policy DROP 526 packets, 103K bytes)
    0     0 DROP       all  --  *      *       193.201.224.199      0.0.0.0/0           
   24  1272 DROP       all  --  *      *       75.146.185.254       0.0.0.0/0           
    0     0 DROP       all  --  *      *       78.56.6.211          0.0.0.0/0           
   80  4744 DROP       all  --  *      *       60.250.157.222       0.0.0.0/0           
 2342  122K DROP       all  --  *      *       123.30.37.44         0.0.0.0/0           
    0     0 DROP       all  --  *      *       163.172.87.229       0.0.0.0/0

How do I enable centralized synchronization support?

The DenyHosts version 2.0 and above support centralized synchronization, so that repeat offenders are blocked from many computers. The site xmlrpc.denyhosts.net gathers statistics from computers running the software. Synchronization disabled by default. To enable synchronization, enter:
$ sudo vi /etc/denyhosts.conf
Set config option as follows:

SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

Save and close the file. Type the following command on Ubuntu Linux 16.04 LTS or newer to restart the service:
$ sudo systemctl restart denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to restart the service:
$ sudo /etc/init.d/denyhosts restart

How do I start denyhosts service?

Type the following command on Ubuntu Linux 16.04 LTS or newer to start the service:
$ sudo systemctl start denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to start the service:
$ sudo /etc/init.d/denyhosts start

How do I stop denyhosts service?

Type the following command on Ubuntu Linux 16.04 LTS or newer to stop the service:
$ sudo systemctl stop denyhosts.service
For older Ubuntu / Debian Linux / Non-systemd based system, type the following command to stop the service:
$ sudo /etc/init.d/denyhosts stop

Other suggestions to secure OpenSSH server

  1. Disable root login
  2. Disable password based login
  3. Use ssh-keybased login
  4. See “Top 20 OpenSSH Server Best Security Practices” for more information.

For more information see denyhosts project home page.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
6 comments… add one
  • Sagamir Feb 12, 2017 @ 11:08

    I use fail2ban – are there any advantages of using denyhosts?

    Reply Link
    • Jnior Garcia Feb 13, 2017 @ 1:21

      Good point…

      Reply Link
  • Dirar Feb 12, 2017 @ 11:30

    Why not use CSF? It’s a complete solution and works for everything, not just SSH

    Reply Link
  • Julien Turbide Feb 12, 2017 @ 16:31

    I like to install ConfigServer Security & Firewall (csf)
    https://configserver.com/cp/csf.html

    Reply Link
  • Izad Feb 13, 2017 @ 11:38

    I use fail2ban – does the job well. Looks to me it is more easy and straight-forward than denyhosts.

    Reply Link
    • Winston Sorfleet Feb 13, 2017 @ 17:09

      Agree on fail2ban, and I am not keen on the denyhosts solution of dynamically changing contents under /etc.

      Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: