Denyhosts

DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. 

It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.

Denyhosts

License GNU GPL Developer Phil Schwartz Website denyhosts.sourceforge.net Requirements Python v 2.3 or greater sshd server configured with tcp_wrappers support enabled Support: FAQ, Mailing List Selected Reviews: Unix Review

Features include:

• Parses /var/log/secure to find all login attempts and filters failed and successful attempts
• Synchronization mode allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks
• Can be run from the command line, cron or as a daemon
• Records all failed login attempts for the user and offending host
• For each host that exceeds a threshold count, records the evil host
• Keeps track of each non-existent user (eg. sdadasd) when a login attempt failed
• Keeps track of each existing user (eg. root) when a login attempt failed
• Keeps track of each offending host
• Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
• Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
• When the log file is rotated, the script will detect it and parse from the beginning
• Appends /etc/hosts.deny and adds the newly banned hosts
• Optionally sends an email of newly banned hosts and suspicious logins
• Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts
• Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it's default shell to something like /sbin/nologin
• Upon each run, the script will load the previously saved data and re-use it to append new failures
• Resolves IP addresses to hostnames, if available
• /etc/hosts.deny entries can be expired (purge) at a user specified time

Last Updated Monday, May 05 2008 @ 03:10 AM EDT