why having a script that parses a log file, which is written buffered, to do a job that iptables can do already.
As far as I am aware, iptables can not look logically at a set of data and determine that it is a break in attempt. For example, as Otto is trying to do, you can limit the number of attempts from a certain IP address range over a period of time. However, what happens if the attack script decides to attack each IP only once an hour. Then our iptables filter will not prevent a long term attack from succeeding.
furthermore there is an even more trivial way to achieve the same: put your sshd on a port != 22.
The scripts out there are getting more and more complex, and I have seen evidence of them looking in non-standard ports already. No method is foolproof. The problem that denyhosts now faces is that a distributed attack on a single IP from multiple IP isn't possible to detect with denyhosts. Ron --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org