Gentoo Wiki



SSH Basics

Tips & Tricks

Other Gentoo-wiki SSH



DenyHosts is a Python script analyzing the OpenSSH server log determining if hosts are attempting to break into your system. DenyHosts also determines which user accounts are being targeted and keeps track of the frequency of attempts from each host.

Upon discovery of repeated attacks, the /etc/hosts.deny file is updated with the relevant host information preventing future break-in attempts from the host. See the features

A better alternative to DenyHosts is sshdfilter as it executes sshd itself, and so blocks can be initiated instantly (the program is constantly monitoring your sshd log). It also logs all attempts and a supplied Logwatch script can give you periodical summaries.


Before Installing you need to be sure you have a running system logger such as syslog-ng. If you do not be sure to install one by doing: emerge -av syslog-ng. And then starting it with /etc/init.d/syslog-ng start and adding it to be booted up by default with rc-update add syslog-ng default.

First emerge DenyHosts by running emerge -av denyhosts.

Ensure OpenSSH was merged with the tcpd USE flag enabled:

emerge -pv net-misc/openssh
net-misc/openssh +tcpd

If needed, re-emerge OpenSSH with tcpd support:

echo 'net-misc/openssh tcpd' >> /etc/portage/package.use
emerge -av net-misc/openssh


Most of this configuration was already done for you with recent ebuild releases. At this point, most users can safely go to Starting DenyHosts section.

File: /etc/denyhosts.conf

Ensure the SECURE_LOG variable is set to the location where OpenSSH (sshd process) logs its messages.  Customized loggers might put OpenSSH logging elsewhere.

SECURE_LOG = /var/log/messages

This is now also the default for DAEMON_LOG, and allows you to set the date format for logging.

DAEMON_LOG = /var/log/denyhosts

Synchronization Mode is a new feature as of version 2.0. This mode allows DenyHosts to sync with a central host with known predators. Simply uncommenting the SYNC_SERVER variable enables Synchronization Mode. Once enabled, publishing your found predators to the central server is also enabled by default.


Starting DenyHosts

You can configure DenyHosts to run as a daemon by running:

Code: Add to runlevel
rc-update add denyhosts default

or as a cronjob, by adding the following to your crontab. Edit the crontab using crontab -e.

Code: crontab
# run DenyHosts every 10 minutes
*/10  *  * * *	root	python /usr/bin/denyhosts -c /etc/denyhosts.conf

Now, start DenyHosts. This may take a while as it parses the log file.

/etc/init.d/denyhosts start

If a client now needs more login attempts than allowed, its IP will be added to the /etc/hosts.deny so that the next time it tries to connect, the server refuses the connection.

Alternative Configuration

To avoid running Denyhosts all the time as a daemon, you can instruct Denyhosts to execute only when a ssh user connects. This introduces a negligible delay for the user, but will save resources since Denyhosts only needs to be run initially as a user connects.

File: /etc/denyhosts.conf
HOSTS_DENY = /etc/hosts.blocked

Now edit /etc/hosts.deny to run denyhosts. Note that we are running denyhosts without the --daemon option.

File: /etc/hosts.deny
sshd:ALL:spawn python /usr/bin/ -c /etc/denyhosts.conf: allow

At this point it would be advisable to run python /usr/bin/ -c /etc/denyhosts.conf. This may take quite some time, subsequent times (when SSH users log on) will be much faster. To use hosts.allow and hosts.deny you also need TCP-wrappers.

See also

Retrieved from ""

Last modified: Sat, 23 Aug 2008 10:53:00 +0000 Hits: 19,762