// Tutorial //

How To Install DenyHosts on CentOS 6

Published on June 15, 2012
Default avatar
By Etel Sverdlov
Developer and author at DigitalOcean.
How To Install DenyHosts on CentOS 6

Status: Deprecated

This article covers a version of CentOS that is no longer supported. If you are currently operating a server running CentOS 6, we highly recommend upgrading or migrating to a supported version of CentOS.

Reason: CentOS 6 reached end of life (EOL) on November 30th, 2020 and no longer receives security patches or updates. For this reason, this guide is no longer maintained.

See Instead:
This guide might still be useful as a reference, but may not work on other CentOS releases. If available, we strongly recommend using a guide written for the version of CentOS you are using.

About DenyHosts

DenyHosts is a security tool written in python that monitors server access logs to prevent brute force attacks on a virtual server. The program works by banning IP addresses that exceed a certain number of failed login attempts.

Step One—Install Deny Hosts

We need to use a repository to install Deny Hosts on CentOS.

sudo rpm -Uvh http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-8.noarch.rpm
sudo yum install denyhosts

Once the program has finished downloading to the VPS, denyhosts is installed and configured.

Step Two—Whitelist IP Addresses

After you install DenyHosts, make sure to whitelist your own IP address. Skipping this step will put you at risk of locking yourself out of your own virtual private server.

Open up the list of allowed hosts:

nano /etc/hosts.allow

Under the description, add in any IP addresses that cannot afford to be banned from the server; you can write each one on a separate line, using this format:

sshd: 12.34.45.678

After making any changes, be sure to restart DenyHosts so that the new settings take effect on your virtual server:

/etc/init.d/denyhosts restart

Step Three—(Optional) Configure DenyHosts

DenyHosts is ready use as soon as the installation is over.

However if you want to customize the behavior of DenyHosts on your server, you can make the changes within the DenyHost configuration file:

nano /etc/denyhosts.conf
By Etel Sverdlov

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.

Sign up
About the authors
Default avatar
Developer and author at DigitalOcean.

Still looking for an answer?

Was this helpful?
7 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

After configuring properly, don’t forget to enable the service so it starts automatically after each reboot. Do something like:

chkconfig denyhosts on

You should add sudo to any of the commands, otherwise users may not be able to save content.

Nevermind, I looked it up.

Does it make sense then if you’re using a dynamic IP to lower this value to, say, a few hours? So if somebody tries to hack from an IP address and it gets blocked and then you hop unto it, the worst that happens is you’re locked out that amount of time. I’d think if a person can only brute for say 3 times every few hours, it’s not much of a brute force attack.

The default file seems to allow for up to 10 failed login attempts from a non-root valid user (only 5 for invalid user attempts). Is that the total for the entire four weeks?

Important note to be aware: If you connect from a computer without a static IP, you cannot set an allowed host. So if you have a login failed attempt in the past 4 weeks (default config) on your current IP, you will be locked out.

In this case, try to reboot your modem to get a new address.

updated. Thank you

Retrieving http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-7.noarch.rpm curl: (22) The requested URL returned error: 404

The latest is 6-8 so: sudo rpm -Uvh http://mirror.metrocast.net/fedora/epel/6/i386/epel-release-6-8.noarch.rpm

You can always check for the latest version at: http://mirror.metrocast.net/fedora/epel/6/i386/