denyhosts-server is a server that allows denyhosts clients to share blocked IP addresses. It is intended to be a drop-in replacement for the service at xmlrpc.denyhosts.net that up to now has been provided by the original author of denyhosts.

• Drop-in replacement for legacy denyhosts sync server
• Supports sqlite and mysql databases
• Can run as non-privileged user
• Supports database evolution for easy upgrades
• Robust design which supports hundreds of connections per second
• Supports bootstrapping from legacy server
• Synchronisation algorithm that has safeguards against database poisoning
• Fully configurable
• Dynamically generated statistics web page

• MySQL database is preferred for large sites. For testing purposes sqlite is also supported
• Python 2.7 with setuptools
• The other Python libraries are installed automatically by the setup.py script. The GeoIP library needs the libgeoip development headers. On a Debian system, install them by running apt-get install libgeoip-dev. To install the free GeoIP database, run apt-get install geoip-database. Note: To install the Python GeoIP library on FreeBSD, edit your ~/.pydistutils.cfg to contain the following:

  [build_ext]
  include_dirs=/usr/local/include
  library_dirs=/usr/local/lib
  

• denyhosts-server is developed and tested on a Debian GNU/Linux system. It should work on any Linux system with Python. Microsoft Windows is not a supported platform, although it should work without major modifications.
• On most installations the sqlite3 Python library comes with Python 2.7. If not, you need to install it manually, possibly with using pip: pip install pysqlite or, on Debian/Ubuntu, apt-get install python-pysqlite2.
• If you use a MySQL database, you need to install the appropriate Python library. possibly by running pip install MySQL-python. On Debian/Ubuntu, use apt-get install python-mysqldb.

Run the following command: sudo ./setup.py minify_js minify_css install. This will download the needed Python libraries, minify the used JavaScript and CSS libraries, install the Python scripts onto your system (usually in /usr/local/lib/python2.7/dist-packages), install the default configuration file in /etc/denyhosts-server.conf and the Python script /usr/local/bin/denyhosts-server.

Create the database and a database user with full rights to it. Copy the denyhosts-server.conf.example file to /etc/denyhosts-server.conf and edit it. Fill in the database parameters, the location of the log file (which should be writable by the system user that will be running denyhosts-server) and other settings you wish to change. graph_dir in the stats sections is another location that should be writable by denyhosts-server.

Prepare the database for first use with the command denyhosts-server --recreate-database. This will create the tables needed by denyhosts-server.

Simply run denyhosts-server. Unless there are unexpected errors, this will give no output and the server will just keep running. Configure your DenyHosts clients to use the new synchronisation server by setting

SYNC_SERVER=http://your.host.name:9911

Once the server is running, you can watch the statistics page at http://your.host.name:9911

These URLs look the same, but the xmlrpc library from the DenyHosts client will actually connect to http://your.host.name:9911/RPC2. The port numbers are configurable. The statistics page can be on the same port as the RPC server, or on another.

When denyhosts-server receives the SIGHUP signal, it will re-read the configuration file. Changes to the database configuration are ignored.

Installing the new version of denyhosts-server with ./setup.py install. Edit the configuration file at /etc/denyhosts-server.conf to configure any new feature added since the last release. Check changelog.txt for new configuration items.

Stop denyhosts-server, update the database tables by running denyhosts-server --evolve-database and restart denyhosts-server.

Old reports will be automatically purged by the configurable maintenance job. See the configuration file for configuration options. To clean all reports by clients, use the --purge-reported-addresses command line option. To clean all reports retrieved from the legacy sync server, use the --purge-legacy-addresses command line option. To purge a specific IP address from both the reported and the legacy host lists, use the --purge-ip command line option.

Note: Use these options with care. Do not use them while denyhosts-server is running, since this may cause database inconsistencies. Use the --force command line options to skip the safety prompt when using the purge options.

• denyhosts-server project site
• denyhosts project site
• Information on synchronisation algorithm
• Original, seemingly abandoned DenyHosts project

Copyright (C) 2015 Jan-Pascal van Best janpascal@vanbest.org

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see http://www.gnu.org/licenses/.

The synchronisation algorithm implemented in denyhosts-server is based on an article by Anne Bezemer, published as Debian bug#622697 and archived at Debian bug#622697 The article is Copyright (C) 2011 J.A. Bezemer j.a.bezemer@opensourcepartners.nl and licensed "either GPL >=3 or AGPL >=3, at your option".