DenyHosts is a Python script that design to analyzes sshd server log messages to determine who or what hosts are attemping to hack into system. It also determines what user accaounts are being targeted and keeps track of frequency of attempts from each host.
DenyHost is used to monitor and analyze SSH server logs for invalid login attemps, dictionary based attacks and brute force attacks. By blocking IP address that repeated attacked hosts and then make an entry to /etc/hosts.deny file intended to prevent future break-in attempts from that host.
DenyHost is an alternative to Fail2ban because DenyHost si simpler and be able to configure manually. A report of DenyHost can be sent by email to sysadmin or authorized person. DenyHost works on Python v2.3 (or greater) and sshd server configured with tcp_wrappers enabled. DenyHost can works on several linux distribution like Fedora Core, Redhat, Debian, Gentoo, Solaris, FreeBSD, and Mac OS/X.
How does denyhosts work
When run for the first time, DenyHosts will create a work directory. The work directory will ultimately store the data collected and the files are in a human readable format, for each editing, if necessary.
DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is root, otherwise valid (eg. has a system account) or invalid (eg. does not have a system account).
When DenyHosts determines that a given host has attempted to login using a non-existent user account a configurable number of attempts (this is known as the DENY_THRESHOLD_INVALID), DenyHosts will add that host to the /etc/hosts.deny file. This will prevent that host from contacting your sshd server again.
The DENY_THRESHOLD_ROOT configuration value specifies the maximum acceptable times that the root user account can fail to login before being blocked. Typically this value is set lower than DENY_THRESHOLD_INVALID such that root level attackers are blocked earlier than other accounts. It is also a good practice to disable root logins within the sshd.conf file in conjunction with this setting. By doing so, no user can login to [email protected] and their host will be blocked from attacking other user accounts when the DENY_THRESHOLD_ROOT is reached.
The DENY_THRESHOLD_VALID configuration value specifies the maximum acceptable times a valid user (ie. a user that exists in /etc/passwd) can fail to login before being blocked. This parameter can be helpful for those with “fat fingers”. Typically this value is set higher than DENY_THRESHOLD_INVALID.
Also, DenyHosts will note any successful logins that occurred by a host that has exceeded the deny_threshold. These are known as suspicious logins and should be investigated further by the system admin.
DenyHost have so many features according to official sites :
Parses /var/log/secure to find all login attempts and filters failed and successful attempts.
– Synchronization mode (new in 2.0) allows DenyHosts daemons the ability to share data. It shared via a centralized server to proactively thwart attacks.
– Records all failed login attempts for the user and offending host
– For each host that exceeds a threshold count, records the evil host
– Keeps track of each non-existent user (eg. sdadasd) and each existing user (eg. root) when a login attempt failed.
– The script will detect it and parse from the beginning, when system rotating the log file
– Appends /etc/hosts.deny and adds the newly banned hosts
– Optionally sends an email of newly banned hosts and suspicious logins.
– Keeps a history of all user, host, user/host combo and suspicious logins encountered. Which includes the data and number of corresponding failed login attempts.
– Upon each run, the script will load the previously saved data and re-use it to append new failures.
– Resolves IP addresses to hostnames, if available (new in v0.6.0).
– A user able to determine time of expiration ot /etc/hosts.deny entries (new in 0.8).
– FreeBSD support (added in 0.7)