G T Smith wrote:
Then I can recommend fail2ban, http://www.fail2ban.org/wiki/index.php/Main_Page It works for several log files, not just for ssh.
DenyHosts looks like another way of shooting oneself in the foot. It is a naive approach with the potential that a spoofed dictionary attack could end up blocking of large chunk of address space (or a particular address) from accessing your server, effectively allowing yourself to create your own vector for a kind of DoS attack. (I would be rather surprised if this had not been attempted already).
You're right and it should also be noted that many tools have a rather poor log parsing routine, where one can run insertion attacks rather easily against them. fail2ban up to version 0.8 was also vulnerable to that. http://www.ossec.net/en/attacking-loganalysis.html is a very nice presentation of that problem. One can forgive the author that he touts his own horn, the OSSEC Host Intrusion Detection System (HIDS). But for many small installations, OSSEC or other HIDSes is too big a hammer, IMHO. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org