DenyHosts is a script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system.
It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host.
It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
Key Features
- Parses /var/log/secure to find all login attempts and filters failed and successful attempts.
- Synchronization mode allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks.
- Can be run from the command line, cron or as a daemon.
- Records all failed login attempts for the user and offending host.
- For each host that exceeds a threshold count, records the evil host.
- Keeps track of each non-existent user (eg. sdadasd) when a login attempt failed.
- Keeps track of each existing user (eg. root) when a login attempt failed.
- Keeps track of each offending host.
- Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures).
- Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
- When the log file is rotated, the script will detect it and parse from the beginning.
- Appends /etc/hosts.deny and adds the newly banned hosts.
- Optionally sends an email of newly banned hosts and suspicious logins.
- Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.
- Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it’s default shell to something like /sbin/nologin.
- Upon each run, the script will load the previously saved data and re-use it to append new failures.
- Resolves IP addresses to hostnames, if available.
- /etc/hosts.deny entries can be expired (purge) at a user specified time.
Website: denyhosts.sourceforge.net
Support: FAQ
Developer: Phil Schwartz
License: GNU General Public License
DenyHosts is written in Python. Learn Python with our recommended free books and free tutorials.
Related Software
| Intrusion Prevention for SSH | |
|---|---|
| Fail2Ban | Intrusion prevention software framework written in Python |
| SSHGuard | Protects hosts from brute-force attacks against SSH and other services |
| denyhosts | Helps thwart SSH server attacks |
| iptables | Configure the Linux 2.4.x and later packet filtering ruleset |
| CSF | ConfigServer Security & Firewall |
| reaction | Daemon that scans program outputs for repeated patterns, and takes action |
Read our verdict in the software roundup.
 Explore our comprehensive directory of recommended free and open source software. Our carefully curated collection spans every major software category.This directory is part of our ongoing series of informative articles for Linux enthusiasts. It features hundreds of detailed reviews, along with open source alternatives to proprietary solutions from major corporations such as Google, Microsoft, Apple, Adobe, IBM, Cisco, Oracle, and Autodesk. You’ll also find interesting projects to try, hardware coverage, free programming books and tutorials, and much more. Discovered a useful open source Linux program that we haven’t covered yet? Let us know by completing this form. |