DenyHost News

What's new?

The latest release of DenyHost, version 3.1, brings about a few minor, yet important changes. Apart from updating some of our documentation, we have added the following:
  • Fixed a type check in DenyHosts/ which was causing problems when moving between Python2 and Python3.
  • Added checks to see if an IP address is valid. This pulls in the requirement for the ipaddr Python module.
  • Added check to see if there is a break-in attempt against the Dovecot imap service. This is an option which can be enabled/disabled in the configuration file. It is turned off by default.
  • DenyHost now depends on ipaddr (py-ipaddr), a Python module which has been added to the dependency list of the file.

We are happy to report that lots of work has been going on behind the scenes to improve DenyHosts and we have released DenyHosts version 3.0. Changes that have been introduced since the 2.10 release are as follows:

Initial translation of code from Python 2 to Python 3. DenyHosts can now be run as either a Python 2 or a Python 3 program. The new code has been tested with Pyhton 2.7 and Python 3.4. If you require an older version of Python, please continue to use DenyHosts 2.10 and let us know of your requirements.

Added patch from Fedora to fix initial sync issue and insure info logging stream is active.
(Provided by Jason Tibbitts.)

Added "import logging" to to avoid errors when setting up logging. (See above change.)

Added option PF_TABLE_FILE to the configuration file. When this option is enabled it causes DenyHosts to write blocked IP addresses to a text file. The default location is /etc/blacklist. This text file should correspond to a PF firewall table.

At start-up, try to create the file specified by HOSTS_DENY. That way we avoid errors later if the file does not exists. Can be a problem on operating systems where /etc/hosts.deny does not exist in the default configuration.

Added regex pattern to detect invalid user accounts. This blocks connections from remote hosts who are attempting to login with accounts not found on the local system. While these connections to non-existent accounts are relatively harmless, they are usually used as part of a brute force attack and filtering them before they reach OpenSSH is a good idea.

Finally, Jan-Pascal has created a sync server for DenyHosts which will allow DenyHosts services to coordinate lists of banned IP addresses. The new sync server is open source (GPLv3) and can be set up on private servers, networks and VPS. We plan to set up our own sync server in the near future. When a sync server is created it will be announced here.

For several years now users of DenyHosts have been asking for an open source synchronization server, a central hub that would allow DenyHosts to coordinate and share malicious IP addresses. Thanks to the tireless efforts of Jan-Pascal, an open source (GPLv3) synchronization server has been made publicly available.

The synchornization server is developed separately from DenyHosts, but the developers of both projects are sharing notes, bug reports and looking at coordinating resources. At this time the sync server is in its early stages, but has been working well in our intial tests. We hope to have an official sync server up and running in the coming months.

For now, if you would like to run your own sync server to coordinate DenyHosts IP addresses, you can visit the sync server project's GitHub page.

We are pleased to announce the release of DenyHost 2.10. This new version is mostly a bug-fix release, with many of the fixes coming from Jason Tibbitts who packages DenyHost for the Fedora project. (Thank you, Jason.) In version 2.10, DenyHost can now correctly unlock stale PID files, a new systemd service unit file has been added and DenyHost now properly logs information when running in foreground mode. DenyHost now detects PAM authentication errors on FreeBSD, the example PF firewall rule was improved and our documentation was cleaned up. DenyHost no longer requires that ETC_DIR is declared in the configuration file, and we default to using /etc as our configuration directory if none is specified.

For a complete list of changes, please see the ChangeLog file.

The DenyHost project, hosted here at Source Forge, has merged with another fork of DenyHosts over on Github. We will be using the Github source code repository to collaborate efforts and periodic releases will be posted here. Please see our Download page for all package and source code options.

DenyHost 2.9 adds one new feature, the ability to work with the PF packet filter, popular on BSD systems such as FreeBSD, OpenBSD, NetBSD, PC-BSD and TrueOS. The DenyHost daemon will now work with existing PF tables in real time, allowing administrators to block incoming secure shell connections at the firewall level. Examples of how to set up the appropriate PF rules and enable DenyHost to work with PF are available in the DenyHost configuration file (denyhosts.conf).

DenyHost 2.8 brings with it several important new features. Perhaps the most important new feature is the ability for DenyHost to use the Linux firewall (iptables) to block aggressive hosts. Using iptables is an optional feature and reduces our dependnecy on tcp_wrappers. Administrators can optionally block all ports from an aggressive client, or just a specific port, such as port 22 (the default for secure shell connections).

This release also adds two new command line flags, --purgeip and --purge-all. These two flags allow the administrator to clean out old hosts from our denied list.

A new manual page has been added (provided by the Debian project) and it documents command line flags.

The 2.8 version of DenyHost improves regular expression usage, cleans up error handling a little and we try to avoid spamming any DenyHost plugins with unnecessary host addresses.

The 2.7 release contains a minor DoS security fix and some minor bug fixes. The DoS security issue affects all versions of DenyHosts prior to v2.6. All users are urged to upgrade to DenyHosts v2.6. Consult the Changelog for the gory details.

DenyHost includes the following:

DenyHosts 2.0 introduced synchronization mode which allows DenyHosts daemons to proactively thwart attackers before they strike your ssh server. Read the FAQ for important information on how to configure DenyHosts for synchronization mode (hint: it's easy, but you must enable it explictly).

If you are upgrading from a version prior to 1.0.0 please read this important FAQ entry.