Tutorial

How To Install DenyHosts on CentOS 6

Published on June 15, 2012

Status: Deprecated

This article covers a version of CentOS that is no longer supported. If you are currently operating a server running CentOS 6, we highly recommend upgrading or migrating to a supported version of CentOS.

Reason: CentOS 6 reached end of life (EOL) on November 30th, 2020 and no longer receives security patches or updates. For this reason, this guide is no longer maintained.

See Instead:
This guide might still be useful as a reference, but may not work on other CentOS releases. If available, we strongly recommend using a guide written for the version of CentOS you are using.

About DenyHosts

DenyHosts is a security tool written in python that monitors server access logs to prevent brute force attacks on a virtual server. The program works by banning IP addresses that exceed a certain number of failed login attempts.

Step One—Install Deny Hosts

We need to use a repository to install Deny Hosts on CentOS.

sudo rpm -Uvh http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-8.noarch.rpm

sudo yum install denyhosts

Once the program has finished downloading to the VPS, denyhosts is installed and configured.

Step Two—Whitelist IP Addresses

After you install DenyHosts, make sure to whitelist your own IP address. Skipping this step will put you at risk of locking yourself out of your own virtual private server.

Open up the list of allowed hosts:

nano /etc/hosts.allow

Under the description, add in any IP addresses that cannot afford to be banned from the server; you can write each one on a separate line, using this format:

sshd: 12.34.45.678

After making any changes, be sure to restart DenyHosts so that the new settings take effect on your virtual server:

/etc/init.d/denyhosts restart

Step Three—(Optional) Configure DenyHosts

DenyHosts is ready use as soon as the installation is over.

However if you want to customize the behavior of DenyHosts on your server, you can make the changes within the DenyHost configuration file:

nano /etc/denyhosts.conf

By Etel Sverdlov

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Etel Sverdlov

author

Still looking for an answer?

Ask a question Search for more help

Was this helpful?

7 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

macelee • September 6, 2013

After configuring properly, don’t forget to enable the service so it starts automatically after each reboot. Do something like:

chkconfig denyhosts on

JayB • October 23, 2015

You should add sudo to any of the commands, otherwise users may not be able to save content.

linuxtechjason • July 14, 2013

Nevermind, I looked it up.

Does it make sense then if you’re using a dynamic IP to lower this value to, say, a few hours? So if somebody tries to hack from an IP address and it gets blocked and then you hop unto it, the worst that happens is you’re locked out that amount of time. I’d think if a person can only brute for say 3 times every few hours, it’s not much of a brute force attack.

linuxtechjason • July 14, 2013

The default file seems to allow for up to 10 failed login attempts from a non-root valid user (only 5 for invalid user attempts). Is that the total for the entire four weeks?

Glauco • February 15, 2013

Important note to be aware: If you connect from a computer without a static IP, you cannot set an allowed host. So if you have a login failed attempt in the past 4 weeks (default config) on your current IP, you will be locked out.

In this case, try to reboot your modem to get a new address.

Etel Sverdlov

DigitalOcean Employee