Some useful information about DenyHosts as packaged by Fedora Extras -------------------------------------------------------------------- Syslog ------ Denyhosts requires a syslog daemon to be configured and running in order to produce parseable log output. Fedora has several syslog daemons, but if you have no preference, then: yum install rsyslog systemctl enable rsyslog systemctl start rsyslog should get you going with the default configuration of both rsyslog and denyhosts, which work together out of the box. (It may in some situations be necessary to wait a bit and then restart rsyslog in order to get it to start logging ssh failures to /var/log/secure.) If you decide to use another syslog daemon, please remember to adjust the rest of the examples in this document accordingly. Starting and Stopping --------------------- Denyhosts installs and runs as a regular service, so you can start it with: systemctl start denyhosts and enable it at boot time with: systemctl enable denyhosts By default denyhosts runs continuously waking up to process your logs every thirty seconds. However, you can choose to have it run periodically via cron. To do so, make sure the daemon is stopped and disabled: systemctl stop denyhosts systemctl disable denyhosts Then edit /etc/cron.d/denyhosts, uncomment the appropriate lines and adjust the interval at which it runs to your choosing. You can see a description of the file format by running: man 5 crontab By default, DenyHosts is set up to purge old block entries, but only after four weeks. If you wish to adjust this, edit /etc/denyhosts.conf and look for "PURGE_DENY". DenyHosts will process only your current logfile (/var/log/secure). If you want to incorporate an old logfile (in this example, /var/log/secure-20120101) , you can run denyhosts.py -c /etc/denyhosts.conf /var/log/secure-20120101 DenyHosts can also handle logs compressed with gzip or bzip2. Sync ---- Denyhosts can communicate with a remote server to exchange information about blocked hosts. This functionality is disabled by default as it appears that the non-free upstream sync server is non-functional for most or all of the time. The Firewall ------------ In this release, denyhosts is configured to block ssh attempts using the /etc/hosts.deny file. It can be configured to use iptables to modify the firewall. In the future, ssh will be dropping the use of hosts.deny and the tcp_wrappers mechanism, so use of the firewall will be mandatory, though existing configurations will not be updated. You can switch by editing /etc/denyhosts.conf and uncommenting the IPTABLES line. DNS Lookups ----------- Enabling the ALLOWED_HOSTS_HOSTNAME_LOOKUP option forces denyhosts to perform DNS lookups for each host specified in the allowed-hosts file. If DNS lookups are slow and a large number of hosts are specified (perhaps by a pattern match) then the startup time of denyhosts may be increased significantly. By default the denyhosts unit file specifies that it should be started before sshd, this implies that startup of sshd and anything that depends upon it may also be delayed significantly. If you need ALLOWED_HOSTS_HOSTNAME_LOOKUP, you specify a large number of hosts, your DNS is slow, and you are having issues with sshd not coming up sufficiently quickly, consider copying the systemd.service file from /lib/systemd/system to /etc/systemd/system and editing it to remove the "Before=sshd.service" line. This, however, opens an interval where current ssh probes will not be blocked until the denyhosts service startup completes. Huge Log Files -------------- If your /var/log/secure file is extremely large, it may take denyhosts some time to process it at startup. This may cause systemd to decide that it isn't going to start properly and to mark the service as failed. The simplest way to deal with this is to move /var/log/secure out of the way: cd /var/log mv secure secure-save systemctl restart rsyslogd And then process /var/log/secure-save manually as indicated above.