DenyHosts on openSuse 10.3
Tuesday, December 25th, 2007Abstract
DenyHosts is a small application, which blocks IP addresses, which abuse SSH. This helps alot of you are being brute forces on the SSH but some hijaked bot computer. I am sure everyone saw this in their log files. This article explains how to install DenyHosts and configure it.
Not supplied by default
Unfortunately openSuSE 10.3 does not come with DenyHosts be default, so a repository needs to be added in order to include it. Navigate to http://packages.opensuse-community.org/ and choose 10.3 as your version, then enter denyhosts. The result should be the following:
There you see this one click install button, which is useful only if you are running openSuSE 10.3 on your desktop. I, for one, am running Vista, so I opened this file with a text editor and found the XML tag called <url>. This is the only data we will need from this file:
Once you found the url tag, log on to your linux box as root and start up YaST (yast2). Then go to software repositories menu (in the Software section). From there select add and choose the HTTP type. After this a confusing window appears, which does not say anything about slashes and directories. You need to fill it up like so:
Now, just click finish and agree to any question YaST might have for you. Since this is one of the official repositories you are perfectly safe with trusting the key.
Installation
Now, you can navigate the the Software Management menu (in the Software section) and search for denyhosts. You should get one result, please install it. After that you should have (please check) the init script in /etc/init.d named denyhosts and the config file in /usr/share/denyhosts named denyhosts.cfg.
Configuration
Denyhosts comes preconfigured and the only thing that you probably want to change is the email address for report sending. The parameter name for this is ADMIN_EMAIL. Other parameters are very well commented.
After this, you can start up the daemon using /etc/init.d/denyhosts start. In a while you will get a report of the IPs, that were already banned (it parsed the existing log file). Additionally you will be receiving constant updates when some IP is banned.