Dark Light

Denyhosts is a utility that automatically bans IPs who attempt to ssh in to your server and get three wrong passwords. This is great when people are dictionary-attacking your SSH server, but less good when you have actual users who might get their password wrong.

The FAQ for denyhosts says how to fix this if it happens and your users are banned, but it’s a bit faffy, so I’m putting my script here. It works for me, it may screw your life up. Backups are your friend.

#/bin/sh
REMOVE=$1
/etc/init.d/denyhosts stop
cd /var/lib/denyhosts
for THISFILE in hosts hosts-restricted hosts-root hosts-valid users-hosts;
	do
	mv $THISFILE /tmp/;
	cat /tmp/$THISFILE | grep -v $REMOVE > $THISFILE;
	rm /tmp/$THISFILE;
done;
mv /etc/hosts.deny /tmp/
cat /tmp/hosts.deny | grep -v $REMOVE > /etc/hosts.deny;
rm /tmp/hosts.deny
/etc/init.d/denyhosts start

Needs to run as root or someone with access to all denyhost’s files (plus hosts.deny).

2015 Addition:

As time has moved on, service management’s changed a bit. For Debian derived distros (ubuntu, probably mint?) you’ll need to change the /etc/init.d/denyhost lines with “service denyhosts stop” etc. Slackware uses “/usr/share/denyhosts/daemon-control”. Look it up for your own system, everything else should be fine, still. Thanks to Bill B and Velimir Kalik in the comments.

7 comments
  1. Hi,

    thanks for a great script! This is the version of your script if you install DenyHosts from source (for instance on Slackware :)).

    I hope it helps someone 🙂

    #/bin/sh
    REMOVE=$1

    /usr/share/denyhosts/daemon-control stop

    cd /usr/share/denyhosts/data
    for THISFILE in hosts hosts-restricted hosts-root hosts-valid users-hosts;
    do
    mv $THISFILE /tmp;
    cat /tmp/$THISFILE | grep -v $REMOVE > $THISFILE;
    rm /tmp/$THISFILE;
    done;

    mv /etc/hosts.deny /tmp/
    cat /tmp/hosts.deny | grep -v $REMOVE > /etc/hosts.deny;
    rm /tmp/hosts.deny

    /usr/share/denyhosts/daemon-control start

  2. Script works well as of 2015, Denyhosts version 2.6. Thanks!

    Had to replace /etc/init.d/denyhosts stop (start) with service denyhosts stop (start) on CentOS.

  3. Bill B: I’m moderately surprised a 6 year old script only needs that level of change, but thanks, I’ve added that to the original article

  4. Hi there,
    I wanted to share a slighly different method:
    first stop service
    sudo service denyhosts stop
    then add the host to allow list
    sudo vi /etc/hosts.allow
    with “ALL: yourip or yourhostname”
    then remove the host from the deny list
    sudo vi /etc/hosts.deny
    then restart serviec
    sudo service denyhosts start &

    Kindly

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts