how to install and use denyhosts
April 30, 2009

denyhosts (docs: FAQ) can be used to stop many kinds of brute-force attacks. If you're not using key-based authentication for SSH, you'll probably want to install denyhosts, as it gives an extra layer of security, and may allow some restrictions to be relaxed (eg. restricting login from certain IP addresses only). In addition, denyhosts can be used to simultaneously block attacks on protocols other than SSH. denyhost's drawbacks include its Python dependency, and also its use of TCP wrappers. However this use of TCP wrappers means that it does not need a firewall in order to operate.

NOTE: if you do not plan on exposing any ports to the public internet, you do not need to install denyhosts.

How to install:

  1. cd /usr/ports/security/denyhosts
  2. make install clean
  3. if prompted for Python configuration, make changes as necessary and continue
  4. vi /etc/rc.conf
  5. add these lines (if the syslogd_flags setting already exists, ensure it includes the -c switch):
    denyhosts_enable="YES"
    syslogd_flags="-c"
    
  6. save the changes and exit the editor
  7. vi /etc/hosts.allow
  8. comment out this line:
    ALL : ALL : allow
    
  9. add these lines just before the sendmail settings:
    # denyhosts
    sshd : /etc/hosts.deniedssh : deny
    sshd : ALL : allow
    
  10. save the changes and exit the editor
  11. vi /usr/local/etc/denyhosts.conf
  12. uncomment this line:
    BLOCK_SERVICE  = sshd
    
  13. save the changes and exit the editor
  14. touch /etc/hosts.deniedssh
  15. /etc/rc.d/syslogd restart
  16. /usr/local/etc/rc.d/denyhosts start

Notes: