DenyHosts lock-out

From Applied Optics Wiki
Jump to: navigation, search

Back to Linux How-tos


NOTE

This has been superseded by the use of fail2ban


DenyHosts

DenyHosts is a daemon (background program) running on pretty much all our Linux PCs. It keeps track of repeated failed attempts to log in. If there are several failed attempts within a certain time period, then the IP address of the PC failing to log in is blocked. Sometimes it blocks your IP even if you don't recall repeatedly failing to log in. Either way, you could end up being prevented from being able to log in, usually from home.

hosts.deny

The blocking is done by adding the offending IP to /etc/hosts.deny However, removing your IP from this file is not sufficient, as the denyhosts daemon keeps its own log of offending IP addresses.

To enable yourself to log in again, the first thing you need is access to the machine. This initially sounds a bit like There's a hole in my bucket, but usually you can get in via another PC.

There is a FAQ on how to do this at http://denyhosts.sourceforge.net/faq.html#3_19 which is reproduced below for convenience:

How can I remove an IP address that DenyHosts blocked?

If you have been accidentally locked out of one of your hosts (because DenyHosts has added it to /etc/hosts.deny you may have noticed that simply removing it from /etc/hosts.deny does not in itself correct the issue) since DenyHosts keeps track of the attempts in the WORK_DIR files. In order to cleanse the address you will need to do the following:

  • Stop DenyHosts
  • Remove the IP address from /etc/hosts.deny
  • Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
  • Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
  • Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
  • Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
  • Edit WORK_DIR/user-hosts and remove the lines containing the IP address. Save the file.
  • (optional) Consider adding the IP address to WORK_DIR/allowed-hosts
  • Start DenyHosts

Note: Not all of the WORK_DIR files will contain the IP address so you may want to use grep to determine which files contain the IP address.

Notes

References to WORK_DIR mean /var/lib/denyhosts

You need to be root for all of the above. If you don't know how to be root, or are too scared of doing so, then find someone who does. You should know who that is. Point them to this wiki if they look confused.

To stop DenyHosts, use:

/etc/init.d/denyhosts stop

I will leave it as an exercise for the student to work out how to start it again.