Jump to content

DenyHosts

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Trembluer12 (talk | contribs) at 05:27, 8 April 2016. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

DenyHosts
Developer(s)Phil Schwartz
Stable release
3.0 / 27 June 2015; 9 years ago (2015-06-27)
Repository
Written inPython
Operating systemLinux, FreeBSD
TypeSecurity / HIPS
LicenseGPL
Websitedenyhost.sourceforge.net

DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. DenyHosts is developed by Phil Schwartz, who is also the developer of Kodos Python Regular Expression Debugger.

Operation

DenyHosts checks the end of the authentication log for recent failed login attempts. It records information about their originating IP addresses and compares the number of invalid attempts to a user-specified threshold. If there have been too many invalid attempts it assumes a dictionary attack is occurring and prevents the IP address from making any further attempts by adding it to /etc/hosts.deny on the server. DenyHosts 2.0 and above support centralized synchronization, so that repeat offenders are blocked from many computers. The site denyhosts.net gathers statistics from computers running the software.

DenyHosts is restricted to connections using IPv4. It does not work with IPv6.

DenyHosts may be run manually, as a daemon, or as a cron job.

Discoveries

In July 2007, The Register reported that from May until July that year, "compromised computers" at Oracle UK were listed among the ten worst offenders for launching brute force SSH attacks on the Internet. After an investigation, Oracle refuted that any of its computers had been compromised.[1]

Vulnerabilities

Daniel B. Cid wrote a paper showing that DenyHosts, as well the similar programs Fail2ban and BlockHosts, were vulnerable to remote log injection, an attack technique similar to SQL injection, in which a specially crafted user name is used to trigger a block against a site chosen by the attacker.[2] This was fixed in version 2.6.[3]

See also

References

General references