Deny hosts is a clever python script that will monitor your ssh log file for repeated failed login attempts, and then add the offending hosts to a system blacklist. While you can disable ssh entirely, or move it to a different port, there are reason you may want to keep it available and on a standard port and this tool will help keep the bad guys out.
- download and unpack tarball
- su as root
cd to the unpacked distribution folder and enter the following in terminal:
python setup.py install touch /etc/hosts.deny cp /usr/share/denyhosts/denyhosts.cfg-dist /usr/share/denyhosts/denyhosts.cfg cp /usr/share/denyhosts/daemon-control-dist /usr/share/denyhosts/daemon-control chmod 700 /usr/share/denyhosts/daemon-control
read on for configuration
Configure Script
These are the MINIMAL settings for OS X. There are lots of other good options in there including some settings about thresholds and purging, and emailing an admin when a attacker is added to the list. There is also a feature that lets you share your list of attackers with the community, as well as download the community generated blacklist. Using your favorite text editor or the built in pico change the following settings:
pico /usr/share/denyhosts/denyhosts.cfg
look for and change the following:
SECURE_LOG = /var/log/secure.log
LOCK_FILE = /tmp/denyhosts.lock
(strictly speaking – you don’t need to do this next part as we will be starting the script with launchd)
pico /usr/share/denyhosts/daemon-control
look for and change the following:
DENYHOSTS_BIN = "/usr/local/bin/denyhosts.py"
DENYHOSTS_LOCK = "/tmp/denyhosts.lock"
to test out the daemon you can execute the following:
/usr/bin/env python /usr/local/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
To launch the monitoring script automatically
create and then edit a launchd plist
pico /Library/LaunchDaemons/denyhosts.daemon.plist
and then paste the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/
PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>denyhosts.daemon</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/env</string>
<string>python</string>
<string>/usr/local/bin/denyhosts.py</string>
<string>--daemon</string>
<string>--config=/usr/share/denyhosts/denyhosts.cfg</string>
</array>
<key>RunAtLoad</key>
<false/>
</dict>
</plist>
then to load the plist without logging out or restarting:
launchctl load /Library/LaunchDaemons/denyhosts.daemon.plist
try it out – try logging in as a fake user/bad pw and you should see your IP listed in “/etc/hosts.deny”
simply remove a host from that file if you want to gain access again (or see the configuration notes about purging)
3 comments ↓
Im not familiar with this topic at all. You’re way ahead of me. I’m interested in how to delete network printers from my server list – OS 10.5. I am currently researching on apple website – wish me luck.
There is a great pre-built Installer package for DenyHosts over at http://www.lsa.umich.edu/lsait/admin/mac/software/index.asp
Great article. still relevant – just used your instructions to set this up on my new imac running 10.6.8. This guide is better than the DenyHosts Faq. thanks!