Some useful information about DenyHosts as packaged by Fedora Extras
--------------------------------------------------------------------
Syslog
------
Denyhosts requires a syslog daemon to be configured and running in order to produce
parseable log output. Fedora has several syslog daemons, but if you have no
preference, then:
yum install rsyslog
systemctl enable rsyslog
systemctl start rsyslog
should get you going with the default configuration of both rsyslog and
denyhosts, which work together out of the box. (It may in some situations be
necessary to wait a bit and then restart rsyslog in order to get it to start
logging ssh failures to /var/log/secure.)
If you decide to use another syslog daemon, please remember to adjust the rest
of the examples in this document accordingly.
Starting and Stopping
---------------------
Denyhosts installs and runs as a regular service, so you can start it with:
systemctl start denyhosts
and enable it at boot time with:
systemctl enable denyhosts
By default denyhosts runs continuously waking up to process your logs
every thirty seconds. However, you can choose to have it run
periodically via cron. To do so, make sure the daemon is stopped and disabled:
systemctl stop denyhosts
systemctl disable denyhosts
Then edit /etc/cron.d/denyhosts, uncomment the appropriate lines and adjust the
interval at which it runs to your choosing. You can see a description of the
file format by running:
man 5 crontab
By default, DenyHosts is set up to purge old block entries, but only
after four weeks. If you wish to adjust this, edit /etc/denyhosts.conf
and look for "PURGE_DENY".
DenyHosts will process only your current logfile (/var/log/secure).
If you want to incorporate an old logfile (in this example,
/var/log/secure-20120101) , you can run
denyhosts.py -c /etc/denyhosts.conf /var/log/secure-20120101
DenyHosts can also handle logs compressed with gzip or bzip2.
Sync
----
Denyhosts can communicate with a remote server to exchange information about
blocked hosts. This functionality is disabled by default as it appears that
the non-free upstream sync server is non-functional for most or all of the
time.
The Firewall
------------
In this release, denyhosts is configured to block ssh attempts using the
/etc/hosts.deny file. It can be configured to use iptables to modify the
firewall. In the future, ssh will be dropping the use of hosts.deny and the
tcp_wrappers mechanism, so use of the firewall will be mandatory, though
existing configurations will not be updated. You can switch by editing
/etc/denyhosts.conf and uncommenting the IPTABLES line.
DNS Lookups
-----------
Enabling the ALLOWED_HOSTS_HOSTNAME_LOOKUP option forces denyhosts to perform
DNS lookups for each host specified in the allowed-hosts file. If DNS lookups
are slow and a large number of hosts are specified (perhaps by a pattern match)
then the startup time of denyhosts may be increased significantly. By default
the denyhosts unit file specifies that it should be started before sshd, this
implies that startup of sshd and anything that depends upon it may also be
delayed significantly.
If you need ALLOWED_HOSTS_HOSTNAME_LOOKUP, you specify a large number of hosts,
your DNS is slow, and you are having issues with sshd not coming up
sufficiently quickly, consider copying the systemd.service file from
/lib/systemd/system to /etc/systemd/system and editing it to remove the
"Before=sshd.service" line. This, however, opens an interval where current ssh
probes will not be blocked until the denyhosts service startup completes.
Huge Log Files
--------------
If your /var/log/secure file is extremely large, it may take denyhosts some
time to process it at startup. This may cause systemd to decide that it isn't
going to start properly and to mark the service as failed. The simplest way to
deal with this is to move /var/log/secure out of the way:
cd /var/log
mv secure secure-save
systemctl restart rsyslogd
And then process /var/log/secure-save manually as indicated above.