Wiki‎ > ‎

Remove an IP address that DenyHosts blocked?

posted Jul 30, 2016, 11:55 PM by Dong Xu   [ updated Apr 25, 2017, 3:34 PM ]
/etc/denyhosts.conf

WORK_DIR=/var/lib/denyhosts

If you have been accidentally locked out of one of your hosts (because DenyHosts has added it to /etc/hosts.deny you may have noticed that simply removing it from /etc/hosts.deny does not in itself correct the issue) since DenyHosts keeps track of the attempts in the WORK_DIR files. In order to cleanse the address you will need to do the following:

  1. Stop DenyHosts /etc/init.d/denyhosts stop
  2. Remove the IP address from /etc/hosts.deny
  3. Edit WORK_DIR/hosts and remove the lines containing the IP address. Save the file.
  4. Edit WORK_DIR/hosts-restricted and remove the lines containing the IP address. Save the file.
  5. Edit WORK_DIR/hosts-root and remove the lines containing the IP address. Save the file.
  6. Edit WORK_DIR/hosts-valid and remove the lines containing the IP address. Save the file.
  7. Edit WORK_DIR/users-hosts and remove the lines containing the IP address. Save the file.
  8. (optional) Consider adding the IP address to WORK_DIR/allowed-hosts
  9. Start DenyHosts /etc/init.d/denyhosts start
Note: Not all of the WORK_DIR files will contain the IP address so you may want to use grep to determine which files contain the IP address

prevent a legitimate IP address from being blocked by DenyHosts?


Since it is quite possible for a user to mistype their password repeatedly it may be desirable to have DenyHosts prevent specific IP addresses from being added to /etc/hosts.deny. To address this issue, create a file named allowed-hosts in the WORK_DIR. Simply add an IP address, one per line. Any IP address that appears in this file will not be blocked.

Additionally, as of v1.0.3, a valid hostname can also be placed in the allowed-hosts file. For each hostname appearing in this file, the IP address will be resolved and any ssh connections that match either this hostname or this resolved IP address will not be blocked. # this is a comment line
# the following line prevents DenyHosts from blocking IP address 1.1.1.1
1.1.1.1
# The following lines prevent IP addresses 1.1.1.2 and 1.1.1.3 from being blocked
1.1.1.2
1.1.1.3
#
# The first 3 parts of the IP address must be provided (eg. 1.2.3.)
# The last part of the IP address can be a wildcard.
# The wildcard can be given with an asterisk -or- as a range.
#
# This line prevents all IP address in the 1.1.1 network from being blocked
# 1.1.1.*
#
# This line prevents IP addresses in the range 1.1.1.6 to 1.1.1.23 from being blocked
# 1.1.1.[6-23]
# the following line prevents DenyHosts from blocking the host foo
foo


Comments