DenyHosts 2.6 review
DownloadDenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks. If you've ever looked a
|
|
DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks.
If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
DenyHosts attempts to address the above... and more.
Here are some key features of "DenyHosts":
Parses /var/log/secure to find all login attempts and filters failed and successful attempts.
Can be run from the command line, cron or as a daemon (new in 0.9)
Records all failed login attempts for the user and offending host
For each host that exceeds a threshold count, records the evil host
Keeps track of each non-existent user (eg. sdadasd) when a login attempt failed.
Keeps track of each existing user (eg. root) when a login attempt failed.
Keeps track of each offending host (with 0.8+ these hosts can be purged if the associated entry in /etc/hosts.deny is expired)
Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
When the log file is rotated, the script will detect it and parse from the beginning.
Appends /etc/hosts.deny and adds the newly banned hosts
Optionally sends an email of newly banned hosts and suspicious logins.
Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.
Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it's default shell to something like /sbin/nologin
Upon each run, the script will load the previously saved data and re-use it to append new failures.
Resolves IP addresses to hostnames, if available (new in v0.6.0).
/etc/hosts.deny entries can be expired (purge) at a user specified time (new in 0.8)
FreeBSD support (added in 0.7)
Requirements:
Python v2.3 (or greater)
sshd server configured with tcp_wrappers support enabled
What's New in This Release:
security fix: malicious users can cause a DoS of ssh. for more info: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6301
fixed bug in regex.py: 2 failed entry regexes weren't included properly in the hash
fixed bug in denyhosts.py: attribute error: self.__sync_download
DenyHosts 2.6 search tags