I'm not a Gentoo user so I can't provide a package for Gentoo. However, Mike Kelly has released a Gentoo package for DenyHosts.

DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host.

Additionally, DenyHosts is included in the Fedora Extras repository repository and should be accessible via yum and/or up2date. You can view the appropriate repository:

DenyHosts should work under Mac OS/X. You will have to edit your denyhosts configuration file (typically denyhosts.cfg) according to the Mac OS X version that you are running:

I run a number of Linux servers and I noticed that one of them was hacked into. Upon browsing my sshd log I noticed that the system was targeted for some time and eventually, somebody hacked out a password. Had I been using DenyHosts, that never would've happened (if only I had the foresight to write this script before my system was compromised!). I then looked at the logs of my other servers, and noticed hundreds of break-in attempts.

DenyHosts uses a simple configuration file. An example, denyhosts.cfg-dist is supplied in the distribution. This file should be copied to denyhosts.cfg and edited to match your system configuration.

Version 0.9.0 introduces daemon mode support. If you run DenyHosts with the --daemon flag, then DenyHosts will run constantly in the background. See the previous link for more details. In addition to the deamon mode, DenyHosts can also be run periodically from the command line. If you do not wish to use the daemon mode, then I recommend that DenyHosts be run from cron on a routine basis. DenyHosts is fairly lightweight and does not put an excessive drain on system resources.

Assuming that you have logrotate installed on your system and is configured to use the /etc/logrotate.d directory for it's configuration files then you can simply create a file, /etc/logrotate.d/denyhosts, edit it and save it. If you have a nonstandard DenyHosts installation then you will need to account for this yourself.

When run for the first time, DenyHosts will create a work directory. The work directory will ultimately store the data collected and the files are in a human readable format, for each editing, if necessary. DenyHosts then processes the sshd server log (typically, this is /var/log/secure, /var/log/auth.log, etc) and determines which hosts have unsuccessfully attempted to gain access to the ssh server. Additionally, it notes the user and whether or not that user is root, otherwise valid (eg.

Most likely it will work with your configuration. However, please see the ssh configuration page for more details.

The DenyHosts logo was designed by Curtis Taylor. Many thanks to Curtis for the logo. Incidentally, Curtis also designed the ReleaseForge logo.

Yes. There are plenty of other tools that have the same goal as DenyHosts but have different implementations. Here is a short list of those that I am aware of:

Presumably, you will need to run DenyHosts as root (in order for DenyHosts to update /etc/hosts.deny and read entries from /var/log), so you first must become root. Once you have either logged in as root (or used su - root, for instance) you can then run the following command: The above command will launch the crontab editor. To launch DenyHosts every 20 minutes you would then add the following line to the crontab: You will need to substitute your site-specific paths above.

Based on a patch contributed by Mike Kelly, DenyHosts 0.7 and greater will successfully parse syslog and metalog log formats. This feature is implemented in a seemless manner so there is no further configuration necessary in order to use DenyHosts with metalog.

Yes. According to Frencesca Smith, DenyHosts 0.7 and greater will work under FreeBSD. DenyHosts automatically detects if you are running it under FreeBSD and if so, will append your deny entries with " : deny". You should also update your HOSTS_DENY configuration value to "/etc/hosts.allow" since FreeBSD does not recognize the default "/etc/hosts.deny" file that many other vendors use.

Yes. DenyHosts has been reported to work with Solaris. However, since Solaris uses a pam_afs format for logging messages, you will need to add this line to your configuration file (typically, denyhosts.cfg ).

In order for DenyHosts to easily parse this log format, simply edit your denyhosts.cfg file and add the following line:

If you have several log files (eg. in your /var/log directory you have ssh server logs with .1, .2, ... .n) due to log rotation then it is best to process the old files first. python denyhosts.py --file=/var/log/secure.log.1 --file=/var/log/secure.log.2 .... --file=/var/log/secure.n Note: You must run DenyHosts as root so that it can read /var/log/ files and update the /etc/hosts.deny file

In all other cases, such as running DenyHosts from cron then technically speaking, no. However, in order to run DenyHosts as non-root you must ensure that you have read-permissions on the /var/log/ sshd server logs. Alternatively, you can copy them to a directory where you do have read-permissions. Also, in order for DenyHosts to block hosts, it needs write permissions for the /etc/hosts.deny file. DenyHosts will gladly run without being able to update this file.

DenyHosts v0.8.0 (and greater) uses the configuration parameter LOCK_FILE which should point to some unique path. When DenyHosts is run initially it will attempt to create this file and record it's process id (pid). If it already exists, DenyHosts will exit indicating that DenyHosts is still running and the pid of the previous process. Upon exit, DenyHosts will delete the LOCK_FILE so that it will not interfere with other instances (such as another instance run from cron).

The WORK_DIR contains files that DenyHosts uses for keeping track of the hackers. In addition to these files that DenyHosts creates and updates there are also some files that are intended as user editable files (those that which the DenyHosts user creates and edits as appropriate). allowed-hosts - contains a list of ip addresses that are exempt from being denied by DenyHosts. For further details refer to the allowed hosts FAQ entry.

Learn how to work with Gentoo: installing software, altering variables, changing Portage behaviour etc. This chapter explains the "simple" steps a user definitely needs to know to maintain the software on his system. USE flags are a very important aspect of Gentoo. In this chapter, you learn to work with USE flags and understand how USE flags interact with your system.

Portions of your donation help support SourceForge and the Python Software Foundation (and PayPal takes a piece too). Whatever money remains will no doubt be spent on delicious beer and other less important necessities of life.

Yes. New in v1.1.5, DenyHosts adds the ability for the user to specify additional regular expressions that can be used to locate possible break-in attempts. The USERDEF_FAILED_ENTRY_REGEX can be specified repeatedly. Each value must contain a single regular expression that includes a host regular expression group and optionally a user group. It is assumed that the end user is familiar with regular expressions in order to take advantage of this feature.

Unfortunately, all log files are not created equally. Depending on the format of your log file, DenyHosts may not be able to process all of the entries. You can supply a suitable custom regular expression in your configuration file. error: PAM: authentication error for SOME_VALID_USERNAME from 192.168.1.1 Then adding this to your configuration file should resolve the issue.

Apparently, yes! Thanks to Tilo Winkler for providing an example of spawning DenyHosts from TCPWRAPPERS.

Yes. DenyHosts checks the first line of your sshd server log file and the file size. It then compares these values to the previous invocation of DenyHosts. If the first line is different, then DenyHosts will process the entire log file (since it is assumed that the log has been rotated). If the current file size is greater then the last offset, then the log file is processed from the last offset.

Since DenyHosts is intended to run from cron, by default it therefor tries to minimize output. In general, only error conditions are output. However, if you'd like to see more details of what it's doing, you can supply the --verbose flag on the command line. Alternatively, if you'd like to see all of the gory details of what DenyHosts is doing, you can invoke DenyHosts with the --debug flag.

Since it is quite possible for a user to mistype their password repeatedly it may be desirable to have DenyHosts prevent specific IP addresses from being added to /etc/hosts.deny. To address this issue, create a file named allowed-hosts in the WORK_DIR. Simply add an IP address, one per line. Any IP address that appears in this file will not be blocked. Additionally, as of v1.0.3, a valid hostname can also be placed in the allowed-hosts file.