Difference between revisions of "Denyhosts"
(9 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | |||
We run a python script called "denyhosts.py" on our servers. This script looks at failed login attempts and if there are too many will deny '''all further access''' from that system. | We run a python script called "denyhosts.py" on our servers. This script looks at failed login attempts and if there are too many will deny '''all further access''' from that system. | ||
− | = | + | = Installing Denyhosts = |
− | + | An RPM for denyhosts is located at: einstein:/root/Packages/DenyHosts-2.6-python2.4.noarch.rpm. Once installed follow these instructions: | |
# Copy from einstein the /etc/denyhosts.conf file. | # Copy from einstein the /etc/denyhosts.conf file. | ||
Line 14: | Line 12: | ||
# Start it up: service denyhosts start | # Start it up: service denyhosts start | ||
− | + | Alternatively, if you're running newer versions of Fedora (11+), or if you enable the [http://fedoraproject.org/wiki/EPEL/FAQ| EPEL] repositories on CentOS machines you can simply install denyhosts using the command | |
− | If you | + | |
+ | yum install denyhosts | ||
+ | |||
+ | And then just simply copy the /etc/denyhosts.conf from a machine with a working denyhosts install. | ||
+ | |||
+ | = Faulty Denials = | ||
+ | |||
+ | The Denyhosts FAQ gives these instructions for correcting erroneous denials: | ||
+ | |||
+ | If you have been accidentally locked out of one of your hosts (because DenyHosts has added it to /etc/hosts.deny) you may have noticed that simply removing it from /etc/hosts.deny does not in itself correct the issue since DenyHosts keeps track of the attempts in the WORK_DIR files. In order to cleanse the address you will need to do the following: | ||
+ | |||
+ | #Stop DenyHosts | ||
+ | #Remove the IP address from /etc/hosts.deny | ||
+ | #Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file. | ||
+ | #Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file. | ||
+ | #Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file. | ||
+ | #Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file. | ||
+ | #Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file. | ||
+ | #Start DenyHosts | ||
+ | |||
+ | Note: Not all of the WORK_DIR files will contain the IP address so you may want to use grep to determine which files contain the IP address. | ||
+ | |||
+ | The denyhosts WORK_DIR is not necessarily located in the same place on every system. | ||
+ | *Red Hat Systems: /usr/share/denyhosts/data/ | ||
+ | *Fedora and CentOS Systems: /var/lib/denyhosts/ | ||
+ | |||
+ | We have a script at '''/usr/local/bin/denyhosts-undeny.py''' on all the machines running denyhosts that should do this automatically. Just specify the host to undeny as the only argument, and it'll clean it all up for you. Currently, it only works on CentOS and RedHat, but it should be simple to add functionality for other distros. |
Latest revision as of 20:56, 7 October 2010
We run a python script called "denyhosts.py" on our servers. This script looks at failed login attempts and if there are too many will deny all further access from that system.
Installing Denyhosts
An RPM for denyhosts is located at: einstein:/root/Packages/DenyHosts-2.6-python2.4.noarch.rpm. Once installed follow these instructions:
- Copy from einstein the /etc/denyhosts.conf file.
- Copy from einstein the /etc/sysconfig/denyhosts file.
- Copy from einstein the /usr/bin/denyhosts-control file.
- Copy from einstein the /etc/init.d/denyhosts file.
- Execute "chkconfig --add denyhosts; chkconfig --level 345 denyhosts on
- Start it up: service denyhosts start
Alternatively, if you're running newer versions of Fedora (11+), or if you enable the EPEL repositories on CentOS machines you can simply install denyhosts using the command
yum install denyhosts
And then just simply copy the /etc/denyhosts.conf from a machine with a working denyhosts install.
Faulty Denials
The Denyhosts FAQ gives these instructions for correcting erroneous denials:
If you have been accidentally locked out of one of your hosts (because DenyHosts has added it to /etc/hosts.deny) you may have noticed that simply removing it from /etc/hosts.deny does not in itself correct the issue since DenyHosts keeps track of the attempts in the WORK_DIR files. In order to cleanse the address you will need to do the following:
- Stop DenyHosts
- Remove the IP address from /etc/hosts.deny
- Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
- Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
- Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
- Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
- Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.
- Start DenyHosts
Note: Not all of the WORK_DIR files will contain the IP address so you may want to use grep to determine which files contain the IP address.
The denyhosts WORK_DIR is not necessarily located in the same place on every system.
- Red Hat Systems: /usr/share/denyhosts/data/
- Fedora and CentOS Systems: /var/lib/denyhosts/
We have a script at /usr/local/bin/denyhosts-undeny.py on all the machines running denyhosts that should do this automatically. Just specify the host to undeny as the only argument, and it'll clean it all up for you. Currently, it only works on CentOS and RedHat, but it should be simple to add functionality for other distros.