DenyHosts
DenyHosts is a script intended to help Linux system administrators thwart ssh server attacks. DenyHosts scans an ssh server log, updates /etc/hosts.deny after a configurable number of failed attempts from a rogue host is determined, and alerts the administrator of any suspicious logins.
| Licenses | GPL |
|---|---|
| Operating Systems | POSIX Linux |
| Implementation | Python |
Recent releases
- 21 Jun 2006 21:40
Changes: This release adds the ability to specify multiple ADMIN_EMAIL recipients. A bug was fixed in denyfileutil and 'timestamp' is now initialized properly. The daemon-control-dist was modified to work with non-default python versions. A debug message when loading allowed-hosts fails was added. A bug with reporting suspicious login activity was fixed.
- 09 Apr 2006 07:59
Changes: This version adds the PURGE_THRESHOLD setting (defaulting to 0, or "none"), which defines the maximum times a host will be purged. Once this amount has been exceeded, then this host will no longer be purged. A SYSLOG_REPORT option was added, which, if enabled, will send the denied hosts report to syslog (in addition to or instead of email, depending on your other settings). A fix for restricted usernames was also added.
- 05 Apr 2006 01:11
Changes: This release fixes a potential security problem which previously ignored purged denied hosts when they should have been re-added (unless the daemon was restarted). DenyHosts daemon-mode users are urged to upgrade to this release.
- 13 Mar 2006 21:52
Changes: This version allows users to specify environment variable expansions within the configuration file. Other minor feature enhancements and bugfixes were also addressed.
- 10 Feb 2006 00:39
Changes: This release contains support for the concept of "restricted usernames". Synchronization support for the cron/command-line version has been added. Several new configuration settings have been added, including sync_download_resiliency, reset_on_success, deny_threshold_restricted, and age_reset_restricted.
- All comments
Recent commentsSee also ssh-faker...
There's two approaches to the problem of worms and hackers attacking ssh. One is to scan the logs and put offending ip addresses into /etc/hosts.deny. The other is to deny all ip addresses and put good ip addresses into /etc/hosts.allow.
The first approach uses more cpu time (to scan logs), and won't block one-time-only attempts from worms/hackers/whatnot. On the other hand, if you have lots of people connecting from lots of different ip addresses, it works well.
The second approach uses little cpu time (only run when an unknown ip connects), and blocks one-time-only attempts. On the other hand, if you have lots of ip addresses connecting (or people coming from constantly changing ip addresses), it's not so good.
DenyHosts is an example of the first approach. Another project on freshmeat (ssh-faker (http://freshmeat.net/projects/ssh-faker/)) (disclaimer: my project) is an example of the second approach.
With ssh-faker, before you can use ssh, you need to telnet to port 22 and type the password. If you get it right, your ip is added to /etc/hosts.allow. Worms and hackers get an ssh error that says "Your version of ssh is too old" (copied from ssh's source code) and their input is url-escaped and syslogged.
Use DenyHosts when you have something like an ssh-protected anonymous CVS server. The users won't have to jump through an extra hoop to get access, and the password-guessing baddies will be blocked.
Use ssh-faker when you have a limited set of ssh users, and they can use telnet. If their ip addresses don't change, that's a bonus, as they only have to type the password once.
Great
It's simple and useful.
Very good software.
congratulations.