DenyHosts
Encyclopedia
DenyHosts is a log
-based intrusion prevention security tool for SSH
servers written in Python
. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP address
es. DenyHosts is developed by Phil Schwartz, who is also the developer of Kodos Python regular expression debugger
.
is occurring and prevents the IP address from making any further attempts by adding it to
DenyHosts may be run manually, as a daemon
, or as a cron
job.
reported that from May until July that year, "compromised computers" at Oracle UK were listed among the ten worst offenders for launching brute force SSH attacks on the Internet. After an investigation, Oracle refuted that any of its computers had been compromised. Daniel B. Cid
wrote a paper showing that
DenyHosts, as well the similar programs, BlockHosts, and Fail2ban
were vulnerable to remote log injection, an attack technique similar to SQL injection
, in which a specially crafted user name is used to trigger a block against a site chosen by the attacker.
Server log
A server log is a log file automatically created and maintained by a server of activity performed by it.A typical example is a web server log which maintains a history of page requests. The W3C maintains a standard format for web server log files, but other proprietary formats exist...
-based intrusion prevention security tool for SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
servers written in Python
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es. DenyHosts is developed by Phil Schwartz, who is also the developer of Kodos Python regular expression debugger
Kodos Python Regular Expression Debugger
Kodos is a FLOSS regular expression debugger written in Python, developed by Phil Schwartz. Because Python conforms to the Perl Compatible Regular Expressions standard for its regular expressions, Kodos can be used for debugging regular expressions for any other language that conforms.-External...
.
Operation
DenyHosts checks the end of the authentication log for recent failed login attempts. It records information about their originating IP addresses and compares the number of invalid attempts to a user-specified threshold. If there have been too many invalid attempts it assumes a dictionary attackDictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
is occurring and prevents the IP address from making any further attempts by adding it to
/etc/hosts.deny on the server. DenyHosts 2.0 and above support centralized synchronization, so that repeat offenders are blocked from many computers. The site denyhosts.net gathers statistics from computers running the software.DenyHosts may be run manually, as a daemon
Daemon (computer software)
In Unix and other multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user...
, or as a cron
Cron
Cron is a time-based job scheduler in Unix-like computer operating systems. Cron enables users to schedule jobs to run periodically at certain times or dates...
job.
Controversies
In July 2007, The RegisterThe Register
The Register is a British technology news and opinion website. It was founded by John Lettice, Mike Magee and Ross Alderson in 1994 as a newsletter called "Chip Connection", initially as an email service...
reported that from May until July that year, "compromised computers" at Oracle UK were listed among the ten worst offenders for launching brute force SSH attacks on the Internet. After an investigation, Oracle refuted that any of its computers had been compromised. Daniel B. Cid
Daniel B. Cid
Daniel B. Cid is the lead developer of the open source OSSEC HIDS and a principal researcher at Trend Micro, Inc. His interests range from intrusion detection, log analysis and secure development. He is an active member of the open source community, specially known for creating the OSSEC,...
wrote a paper showing that
DenyHosts, as well the similar programs, BlockHosts, and Fail2ban
Fail2ban
Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally .-Functionality:...
were vulnerable to remote log injection, an attack technique similar to SQL injection
SQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
, in which a specially crafted user name is used to trigger a block against a site chosen by the attacker.
See also
- Fail2banFail2banFail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally .-Functionality:...
is a similar program that prevents brute force attacks against SSH and other services. - OSSECOSSECOSSEC is a free, open source host-based intrusion detection system . It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD,...
- TCP Wrappers