denyhosts

A few notes on denyhosts --a piece of software that finds ssh scanning IP addresses and adds them to /etc/hosts.deny.

DenyHOSTS requires TCP Wrappers
You may be able to find out if a daemon is compiled with TCP Wrappers using ldd and looking for the libwrap so.
eg:
# ldd `which sshd` |grep libwrap
 libwrap.so.0 => /lib/libwrap.so.0 (0x00007fac6668f111)
or using strings and looking for hosts_access
eg:
# strings `which sshd` |grep hosts_access
hosts_access


On Debian you may find out if a daemon is packaged with tcpwrappers with apt-cache.
eg:
# apt-cache rdepends libwrap0 |grep ssh
  openssh-server


Install denyhosts on debian
# apt-get install denyhosts


I like `whitelisting` a few hosts because by default denyhosts is trigger happy. eg to allow access from 10.12.142.92, 192.168.167.0/24, 85.26.243.146 , and 67.3.2.2 add the following line to /etc/hosts.allow
sshd: 10.12.142.92, 192.168.167. , 85.26.243.146 , 67.3.2.2 :allow


set ADMIN_EMAIL and SMTP_FROM

Denyhosts `comes` with a synchronization service --you supply the hosts attacking you and download the ones attacking to other hosts using the sync service. The sync service is disabled by default. If you want to enable it uncomment in /etc/denyhosts.conf
#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911


To just supply data to the sync service add
SYNC_DOWNLOAD = no
in /etc/denyhosts.conf

To just receive data from the sync service add
SYNC_UPLOAD = no
in /etc/denyhosts.conf

To apply changes restart the denyhosts daemon
# /etc/init.d/denyhosts restart


URI: http://alog.ipduh.com/2013/07/denyhosts.html