- Parses /var/log/secure to find all login attempts and filters failed
and successful attempts.
- Synchronization mode (new in 2.0) allows DenyHosts daemons the ability to share data via a centralized server
to proactively thwart attacks.
- Can be run from the command line, cron or as a daemon (new in 0.9)
- Records all failed login attempts for the user and offending host
- For each host that exceeds a threshold count, records the evil host
- Keeps track of each non-existent user (eg. sdadasd) when a login attempt
failed.
- Keeps track of each existing user (eg. root) when a login attempt
failed.
- Keeps track of each offending host (with 0.8+ these hosts can be purged if the associated entry in /etc/hosts.deny
is expired)
- Keeps track of suspicious logins (that is, logins that were successful
for a host that had many login failures)
- Keeps track of the file offset, so that you can reparse the same file
(/var/log/secure) continuously (until it is rotated).
- When the log file is rotated, the script will detect it and parse from
the beginning.
- Appends /etc/hosts.deny and adds the newly banned hosts
- Optionally sends an email of newly banned hosts and suspicious logins.
- Keeps a history of all user, host, user/host combo and suspicious logins
encountered which includes the data and number of corresponding failed
login attempts.
- Maintains failed valid and invalid user login attempts in separate
files, such that it is easy to see which valid user is under attack
(which would give you the opportunity to remove the account, change the
password or change it's default shell to something like /sbin/nologin
- Upon each run, the script will load the previously saved data and re-use
it to append new failures.
- Resolves IP addresses to hostnames, if available (new in v0.6.0).
- /etc/hosts.deny entries can be expired (purge) at a user specified time (new in 0.8)