If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/messages on OpenSuSe, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
DenyHosts attempts to address the above... and more by by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses, adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
* Parses authentication log to find all login attempts and filters failed and successful attempts
* Synchronization mode allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks
* DenyHosts Can be run from the command line, cron or as a daemon
* Records all failed login attempts for the user and offending host
* For each host that exceeds a threshold count, records the evil host
* Keeps track of each non-existent user when a login attempt failed
* Keeps track of each existing user (eg. root) when a login attempt failed
* Keeps track of each offending host
* Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
* Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
* When the log file is rotated, the script will detect it and parse from the beginning
* Appends /etc/hosts.deny and adds the newly banned hosts
* Optionally sends an email of newly banned hosts and suspicious logins
* Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts
* Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it's default shell to something like /sbin/nologin
* Upon each run, the script will load the previously saved data and re-use it to append new failures
* Resolves IP addresses to hostnames, if available
* /etc/hosts.deny entries can be expired (purge) at a user specified time
Installation: Use "1-click" installer to install DenyHosts
OpenSuSe 11.1 - Install DenyHosts
OpenSuSe 11.0 - Install DenyHosts
Configuration of Denyhosts:
You can find the main configuration: /etc/denyhosts.conf where most of the settings are good for any normal operation of DenyHosts but you can also tweak it more to suite your needs. look into the comments in this file to know more about the configuration details
Few other important setting:
# vi /var/lib/denyhosts/allowed-hosts
# vi /etc/hosts.allow
# vi /etc/hosts.allow
you'll want to add in these 2 files the IP(s) you will use to connect to your system that's running Denyhosts so that you aren't inadvertently denied access to your own system(s).
Starting the service and marking it to run on each system reboot:
# service denyhosts start; chkconfig --level 2345 denyhosts on