G T Smith wrote:
Then I can recommend fail2ban,
http://www.fail2ban.org/wiki/index.php/Main_Page
It works for several log files, not just for ssh.
DenyHosts looks like another way of shooting oneself in the foot. It is
a naive approach with the potential that a spoofed dictionary attack
could end up blocking of large chunk of address space (or a particular
address) from accessing your server, effectively allowing yourself to
create your own vector for a kind of DoS attack. (I would be rather
surprised if this had not been attempted already).
You're right and it should also be noted that many tools have a
rather poor log parsing routine, where one can run insertion
attacks rather easily against them. fail2ban up to version 0.8 was
also vulnerable to that.
http://www.ossec.net/en/attacking-loganalysis.html
is a very nice presentation of that problem. One can forgive the
author that he touts his own horn, the OSSEC Host Intrusion
Detection System (HIDS). But for many small installations, OSSEC or
other HIDSes is too big a hammer, IMHO.
Joachim
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod Email: [EMAIL PROTECTED]
Roedermark, Germany
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
