# [Solved] Denyhosts doesnt seem to be working...help!

## mattwood2000

Ok, I've had denyhosts running for some time (since before 2.6.15) and its worked fine.  I dont know when it stopped working, but sometime within the last few kernel releases.  I'm pretty sure my denyhosts.conf file is correct, and when I do a /etc/init.d/denyhosts start, it seems to be running ok, but when I do a less /var/log/messages |grep ssh, I see lots of connection attempts and no denying.  My /etc/hosts.deny doesnt seem to change.  I've re-compiled ssh with tcpd, but no change.  Here's my conf file.  Any suggestions?  Thanks.  Matt.

```

       ############ THESE SETTINGS ARE REQUIRED ############

########################################################################

#

# SECURE_LOG: the log file that contains sshd logging info

# if you are not sure, grep "sshd:" /var/log/*

#

# The file to process can be overridden with the --file command line

# argument

#

# Redhat or Fedora Core:

#SECURE_LOG = /var/log/secure

#

# Mandrake, FreeBSD or OpenBSD: 

#SECURE_LOG = /var/log/auth.log

#

# Gentoo/SuSE:

SECURE_LOG = /var/log/auth.log

#

# Metalog:

SECURE_LOG = /var/log/sshd/current

# Mac OS X (v10.4 or greater - 

#   also refer to:   http://www.denyhosts.net/faq.html#macos

#SECURE_LOG = /private/var/log/asl.log

#

# Mac OS X (v10.3 or earlier):

#SECURE_LOG=/private/var/log/system.log

#

########################################################################

########################################################################

#

# HOSTS_DENY: the file which contains restricted host access information

#

# Most operating systems:

HOSTS_DENY = /etc/hosts.deny

#

# Some BSD (FreeBSD) Unixes:

#HOSTS_DENY = /etc/hosts.allow

#

# Another possibility (also see the next option):

#HOSTS_DENY = /etc/hosts.evil

#######################################################################

########################################################################

#

# PURGE_DENY: removed HOSTS_DENY entries that are older than this time

#             when DenyHosts is invoked with the --purge flag

#

#      format is: i[dhwmy]

#      Where 'i' is an integer (eg. 7) 

#            'm' = minutes

#            'h' = hours

#            'd' = days

#            'w' = weeks

#            'y' = years

#

# never purge:

PURGE_DENY = 

#

# purge entries older than 1 week

#PURGE_DENY = 1w

#

# purge entries older than 5 days

#PURGE_DENY = 5d

#######################################################################

#######################################################################

#

# PURGE_THRESHOLD: defines the maximum times a host will be purged.  

# Once this value has been exceeded then this host will not be purged. 

# Setting this parameter to 0 (the default) disables this feature.

#

# default: a denied host can be purged/re-added indefinitely

#PURGE_THRESHOLD = 0

#

# a denied host will be purged at most 2 times. 

#PURGE_THRESHOLD = 2 

#

#######################################################################

#######################################################################

#

# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY

# 

# man 5 hosts_access for details

#

# eg.   sshd: 127.0.0.1  # will block sshd logins from 127.0.0.1

#

# To block all services for the offending host:

#BLOCK_SERVICE = ALL

# To block only sshd:

BLOCK_SERVICE  = sshd

# To only record the offending host and nothing else (if using

# an auxilary file to list the hosts).  Refer to: 

# http://denyhosts.sourceforge.net/faq.html#aux

#BLOCK_SERVICE =    

#

#######################################################################

#######################################################################

#

# DENY_THRESHOLD_INVALID: block each host after the number of failed login 

# attempts has exceeded this value.  This value applies to invalid

# user login attempts (eg. non-existent user accounts)

#

DENY_THRESHOLD_INVALID = 2

#

#######################################################################

#######################################################################

#

# DENY_THRESHOLD_VALID: block each host after the number of failed 

# login attempts has exceeded this value.  This value applies to valid

# user login attempts (eg. user accounts that exist in /etc/passwd) except

# for the "root" user

#

DENY_THRESHOLD_VALID = 2

#

#######################################################################

#######################################################################

#

# DENY_THRESHOLD_ROOT: block each host after the number of failed 

# login attempts has exceeded this value.  This value applies to 

# "root" user login attempts only.

#

DENY_THRESHOLD_ROOT = 1

#

#######################################################################

#######################################################################

#

# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed 

# login attempts has exceeded this value.  This value applies to 

# usernames that appear in the WORK_DIR/restricted-usernames file only.

#

DENY_THRESHOLD_RESTRICTED = 1

#

#######################################################################

#######################################################################

#

# WORK_DIR: the path that DenyHosts will use for writing data to

# (it will be created if it does not already exist).  

#

# Note: it is recommended that you use an absolute pathname

# for this value (eg. /home/foo/denyhosts/data)

#

WORK_DIR = /var/lib/denyhosts

#

#######################################################################

#######################################################################

#

# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS

#

# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO

# If set to YES, if a suspicious login attempt results from an allowed-host

# then it is considered suspicious.  If this is NO, then suspicious logins 

# from allowed-hosts will not be reported.  All suspicious logins from 

# ip addresses that are not in allowed-hosts will always be reported.

#

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

######################################################################

######################################################################

#

# HOSTNAME_LOOKUP

#

# HOSTNAME_LOOKUP=YES|NO

# If set to YES, for each IP address that is reported by Denyhosts,

# the corresponding hostname will be looked up and reported as well

# (if available).

#

HOSTNAME_LOOKUP=YES

#

######################################################################

######################################################################

#

# LOCK_FILE

#

# LOCK_FILE=/path/denyhosts

# If this file exists when DenyHosts is run, then DenyHosts will exit

# immediately.  Otherwise, this file will be created upon invocation

# and deleted upon exit.  This ensures that only one instance is

# running at a time.

#

# Redhat/Fedora:

#LOCK_FILE = /var/lock/subsys/denyhosts

#

# Gentoo/Debian

LOCK_FILE = /var/run/denyhosts.pid

#

# Misc

#LOCK_FILE = /tmp/denyhosts.lock

#

######################################################################

       ############ THESE SETTINGS ARE OPTIONAL ############

#######################################################################

#

# ADMIN_EMAIL: if you would like to receive emails regarding newly

# restricted hosts and suspicious logins, set this address to 

# match your email address.  If you do not want to receive these reports

# leave this field blank (or run with the --noemail option)

#

ADMIN_EMAIL = 

#

#######################################################################

#######################################################################

#

# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email 

# reports (see ADMIN_EMAIL) then these settings specify the 

# email server address (SMTP_HOST) and the server port (SMTP_PORT)

# 

#

SMTP_HOST = localhost

SMTP_PORT = 25

#

#######################################################################

#######################################################################

# 

# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your 

# smtp email server requires authentication

#

#SMTP_USERNAME=foo

#SMTP_PASSWORD=bar

#

######################################################################

#######################################################################

#

# SMTP_FROM: you can specify the "From:" address in messages sent

# from DenyHosts when it reports thwarted abuse attempts

#

SMTP_FROM = DenyHosts <nobody@localhost>

#

#######################################################################

#######################################################################

#

# SMTP_SUBJECT: you can specify the "Subject:" of messages sent

# by DenyHosts when it reports thwarted abuse attempts

SMTP_SUBJECT = DenyHosts Report

#

######################################################################

######################################################################

#

# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header

# when sending email messages.

#

# for possible values for this parameter refer to: man strftime

#

# the default:

#

#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z

#

######################################################################

######################################################################

#

# SYSLOG_REPORT

#

# SYSLOG_REPORT=YES|NO

# If set to yes, when denied hosts are recorded the report data

# will be sent to syslog (syslog must be present on your system).

# The default is: NO

#

#SYSLOG_REPORT=NO

#

#SYSLOG_REPORT=YES

#

######################################################################

######################################################################

#

# ALLOWED_HOSTS_HOSTNAME_LOOKUP

#

# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO

# If set to YES, for each entry in the WORK_DIR/allowed-hosts file,

# the hostname will be looked up.  If your versions of tcp_wrappers

# and sshd sometimes log hostnames in addition to ip addresses

# then you may wish to specify this option.

# 

#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO

#

######################################################################

###################################################################### 

# 

# AGE_RESET_VALID: Specifies the period of time between failed login

# attempts that, when exceeded will result in the failed count for 

# this host to be reset to 0.  This value applies to login attempts 

# to all valid users (those within /etc/passwd) with the 

# exception of root.  If not defined, this count will never

# be reset.

#

# See the comments in the PURGE_DENY section (above) 

# for details on specifying this value or for complete details 

# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec

#

AGE_RESET_VALID=5d

#

######################################################################

###################################################################### 

# 

# AGE_RESET_ROOT: Specifies the period of time between failed login

# attempts that, when exceeded will result in the failed count for 

# this host to be reset to 0.  This value applies to all login 

# attempts to the "root" user account.  If not defined,

# this count will never be reset.

#

# See the comments in the PURGE_DENY section (above) 

# for details on specifying this value or for complete details 

# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec

#

AGE_RESET_ROOT=25d

#

######################################################################

###################################################################### 

# 

# AGE_RESET_RESTRICTED: Specifies the period of time between failed login

# attempts that, when exceeded will result in the failed count for 

# this host to be reset to 0.  This value applies to all login 

# attempts to entries found in the WORK_DIR/restricted-usernames file.  

# If not defined, the count will never be reset.

#

# See the comments in the PURGE_DENY section (above) 

# for details on specifying this value or for complete details 

# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec

#

AGE_RESET_RESTRICTED=25d

#

######################################################################

###################################################################### 

# 

# AGE_RESET_INVALID: Specifies the period of time between failed login

# attempts that, when exceeded will result in the failed count for 

# this host to be reset to 0.  This value applies to login attempts 

# made to any invalid username (those that do not appear 

# in /etc/passwd).  If not defined, count will never be reset.

#

# See the comments in the PURGE_DENY section (above) 

# for details on specifying this value or for complete details 

# refer to:  http://denyhosts.sourceforge.net/faq.html#timespec

#

AGE_RESET_INVALID=10d

#

######################################################################

######################################################################

#

# RESET_ON_SUCCESS: If this parameter is set to "yes" then the

# failed count for the respective ip address will be reset to 0

# if the login is successful.  

#

# The default is RESET_ON_SUCCESS = no

#

#RESET_ON_SUCCESS = yes

#

#####################################################################

######################################################################

#

# PLUGIN_DENY: If set, this value should point to an executable

# program that will be invoked when a host is added to the

# HOSTS_DENY file.  This executable will be passed the host

# that will be added as it's only argument.

#

#PLUGIN_DENY=/usr/bin/true

#

######################################################################

######################################################################

#

# PLUGIN_PURGE: If set, this value should point to an executable

# program that will be invoked when a host is removed from the

# HOSTS_DENY file.  This executable will be passed the host

# that is to be purged as it's only argument.

#

#PLUGIN_PURGE=/usr/bin/true

#

######################################################################

######################################################################

#

# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain

# a regular expression that can be used to identify additional

# hackers for your particular ssh configuration.  This functionality

# extends the built-in regular expressions that DenyHosts uses.

# This parameter can be specified multiple times.

# See this faq entry for more details:

#    http://denyhosts.sf.net/faq.html#userdef_regex

#

#USERDEF_FAILED_ENTRY_REGEX=

#

#

######################################################################

   ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE  ##########

#######################################################################

#

# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag)

# this is the logfile that DenyHosts uses to report it's status.

# To disable logging, leave blank.  (default is: /var/log/denyhosts)

#

DAEMON_LOG = /var/log/denyhosts

#

# disable logging:

#DAEMON_LOG = 

#

######################################################################

#######################################################################

# 

# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode 

# (--daemon flag) this specifies the timestamp format of 

# the DAEMON_LOG messages (default is the ISO8061 format:

# ie. 2005-07-22 10:38:01,745)

#

# for possible values for this parameter refer to: man strftime

#

# Jan 1 13:05:59   

DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S

#

# Jan 1 01:05:59 

#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S

#

###################################################################### 

#######################################################################

# 

# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode 

# (--daemon flag) this specifies the message format of each logged

# entry.  By default the following format is used:

#

# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s

#

# Where the "%(asctime)s" portion is expanded to the format

# defined by DAEMON_LOG_TIME_FORMAT

#

# This string is passed to python's logging.Formatter contstuctor.

# For details on the possible format types please refer to:

# http://docs.python.org/lib/node357.html

#

# This is the default:

#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s

#

#

###################################################################### 

 

#######################################################################

#

# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)

# this is the amount of time DenyHosts will sleep between polling

# the SECURE_LOG.  See the comments in the PURGE_DENY section (above)

# for details on specifying this value or for complete details

# refer to:    http://denyhosts.sourceforge.net/faq.html#timespec

# 

#

DAEMON_SLEEP = 30s

#

#######################################################################

#######################################################################

#

# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode,

# run the purge mechanism to expire old entries in HOSTS_DENY

# This has no effect if PURGE_DENY is blank.

#

DAEMON_PURGE = 1h

#

#######################################################################

   #########   THESE SETTINGS ARE SPECIFIC TO     ##########

   #########       DAEMON SYNCHRONIZATION         ##########

#######################################################################

#

# Synchronization mode allows the DenyHosts daemon the ability

# to periodically send and receive denied host data such that 

# DenyHosts daemons worldwide can automatically inform one

# another regarding banned hosts.   This mode is disabled by

# default, you must uncomment SYNC_SERVER to enable this mode.

#

# for more information, please refer to: 

#        http:/denyhosts.sourceforge.net/faq.html#sync 

#

#######################################################################

#######################################################################

#

# SYNC_SERVER: The central server that communicates with DenyHost

# daemons.  Currently, denyhosts.net is the only available server

# however, in the future, it may be possible for organizations to

# install their own server for internal network synchronization

#

# To disable synchronization (the default), do nothing. 

#

# To enable synchronization, you must uncomment the following line:

#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911

#

#######################################################################

#######################################################################

#

# SYNC_INTERVAL: the interval of time to perform synchronizations if

# SYNC_SERVER has been uncommented.  The default is 1 hour.

# 

#SYNC_INTERVAL = 1h

#

#######################################################################

#######################################################################

#

# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have

# been denied?  This option only applies if SYNC_SERVER has

# been uncommented.

# The default is SYNC_UPLOAD = yes

#

#SYNC_UPLOAD = no

#SYNC_UPLOAD = yes

#

#######################################################################

#######################################################################

#

# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have

# been denied by others?  This option only applies if SYNC_SERVER has

# been uncommented.

# The default is SYNC_DOWNLOAD = yes

#

#SYNC_DOWNLOAD = no

#SYNC_DOWNLOAD = yes

#

#

#

#######################################################################

#######################################################################

#

# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter

# filters the returned hosts to those that have been blocked this many

# times by others.  That is, if set to 1, then if a single DenyHosts

# server has denied an ip address then you will receive the denied host.

# 

# See also SYNC_DOWNLOAD_RESILIENCY

#

#SYNC_DOWNLOAD_THRESHOLD = 10

#

# The default is SYNC_DOWNLOAD_THRESHOLD = 3 

#

#SYNC_DOWNLOAD_THRESHOLD = 3

#

#######################################################################

#######################################################################

#

# SYNC_DOWNLOAD_RESILIENCY:  If SYNC_DOWNLOAD is enabled then the

# value specified for this option limits the downloaded data

# to this resiliency period or greater.

#

# Resiliency is defined as the timespan between a hackers first known 

# attack and it's most recent attack.  Example:

# 

# If the centralized   denyhosts.net server records an attack at 2 PM 

# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h 

# will not download this ip address.

#

# However, if the attacker is recorded again at 6:15 PM then the 

# ip address will be downloaded by your DenyHosts instance.  

#

# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD 

# and only hosts that satisfy both values will be downloaded.  

# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 

#

# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours)

#

# Only obtain hackers that have been at it for 2 days or more:

#SYNC_DOWNLOAD_RESILIENCY = 2d

#

# Only obtain hackers that have been at it for 5 hours or more:

#SYNC_DOWNLOAD_RESILIENCY = 5h

#

#######################################################################

```

Last edited by mattwood2000 on Tue Jun 27, 2006 3:03 am; edited 1 time in total

----------

## 0n0w1c

I am now having this problem.

In denyhosts.conf, my secure log setting is /var/log/messages which is where sshd events are logged on my system.

----------

## 0n0w1c

Commented out the SECURE_LOG setting following "Metalog:" and now it works fine.

----------

## mattwood2000

I commented out the SECURE_LOG under "Metalog" but now when I try to start denyhosts it hangs up and doesnt seem to start.  With that uncommented it starts fine but does not deny hosts.

----------

## 0n0w1c

Are you sure it is hanging?  It does take a while to read through your /var/log/messages file.

After starting denyhosts, try running "top" from another xterm/console terminal to see if the process is running.

----------

## mattwood2000

Ahhh...thank you, you are correct, it was parsing the messages file.  Everything is working again.  Matt.

----------

