Tutorial

How To Install DenyHosts on CentOS 6

Published on June 15, 2012
How To Install DenyHosts on CentOS 6

Status: Deprecated

This article covers a version of CentOS that is no longer supported. If you are currently operating a server running CentOS 6, we highly recommend upgrading or migrating to a supported version of CentOS.

Reason: CentOS 6 reached end of life (EOL) on November 30th, 2020 and no longer receives security patches or updates. For this reason, this guide is no longer maintained.

See Instead:
This guide might still be useful as a reference, but may not work on other CentOS releases. If available, we strongly recommend using a guide written for the version of CentOS you are using.

About DenyHosts

DenyHosts is a security tool written in python that monitors server access logs to prevent brute force attacks on a virtual server. The program works by banning IP addresses that exceed a certain number of failed login attempts.

Step One—Install Deny Hosts

We need to use a repository to install Deny Hosts on CentOS.

sudo rpm -Uvh http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-8.noarch.rpm
sudo yum install denyhosts

Once the program has finished downloading to the VPS, denyhosts is installed and configured.

Step Two—Whitelist IP Addresses

After you install DenyHosts, make sure to whitelist your own IP address. Skipping this step will put you at risk of locking yourself out of your own virtual private server.

Open up the list of allowed hosts:

nano /etc/hosts.allow

Under the description, add in any IP addresses that cannot afford to be banned from the server; you can write each one on a separate line, using this format:

sshd: 12.34.45.678

After making any changes, be sure to restart DenyHosts so that the new settings take effect on your virtual server:

/etc/init.d/denyhosts restart

Step Three—(Optional) Configure DenyHosts

DenyHosts is ready use as soon as the installation is over.

However if you want to customize the behavior of DenyHosts on your server, you can make the changes within the DenyHost configuration file:

nano /etc/denyhosts.conf
By Etel Sverdlov

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
7 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

After configuring properly, don’t forget to enable the service so it starts automatically after each reboot. Do something like:

chkconfig denyhosts on

You should add sudo to any of the commands, otherwise users may not be able to save content.

Nevermind, I looked it up.

Does it make sense then if you’re using a dynamic IP to lower this value to, say, a few hours? So if somebody tries to hack from an IP address and it gets blocked and then you hop unto it, the worst that happens is you’re locked out that amount of time. I’d think if a person can only brute for say 3 times every few hours, it’s not much of a brute force attack.

The default file seems to allow for up to 10 failed login attempts from a non-root valid user (only 5 for invalid user attempts). Is that the total for the entire four weeks?

Important note to be aware: If you connect from a computer without a static IP, you cannot set an allowed host. So if you have a login failed attempt in the past 4 weeks (default config) on your current IP, you will be locked out.

In this case, try to reboot your modem to get a new address.

Etel Sverdlov
DigitalOcean Employee
DigitalOcean Employee badge
January 18, 2013

updated. Thank you

Retrieving http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-7.noarch.rpm curl: (22) The requested URL returned error: 404

The latest is 6-8 so: sudo rpm -Uvh http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-8.noarch.rpm

You can always check for the latest version at: http://mirror.metrocast.net/fedora/epel/6/i386/

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.