DenyHosts

DenyHosts
Developer(s)	Phil Schwartz
Stable release	3.1 / 16 September 2015;7 years ago
Repository	github.com/denyhosts/denyhosts ;
Written in	Python
Operating system	Linux, FreeBSD
Type	Security / HIPS
License	GPL
Website	denyhost.sourceforge.net

Last updated March 18, 2023

DenyHosts is a log-based intrusion-prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. DenyHosts is developed by Phil Schwartz, who is also the developer of Kodos Python Regular Expression Debugger.

Operation

DenyHosts checks the end of the authentication log for recent failed login attempts. It records information about their originating IP addresses and compares the number of invalid attempts to a user-specified threshold. If there have been too many invalid attempts it assumes a dictionary attack is occurring and prevents the IP address from making any further attempts by adding it to /etc/hosts.deny on the server. DenyHosts 2.0 and above support centralized synchronization, so that repeat offenders are blocked from many computers. The site denyhosts.net gathers statistics from computers running the software.

DenyHosts is restricted to connections using IPv4. It does not work with IPv6.

DenyHosts may be run manually, as a daemon, or as a cron job.

Discoveries

In July 2007, The Register reported that from May until July that year, "compromised computers" at Oracle UK were listed among the ten worst offenders for launching brute force SSH attacks on the Internet, according to public DenyHosts listings. After an investigation, Oracle denied suggestions that any of its computers had been compromised.^[1]

Vulnerabilities

Daniel B. Cid wrote a paper showing that DenyHosts, as well the similar programs Fail2ban and BlockHosts, were vulnerable to remote log injection, an attack technique similar to SQL injection, in which a specially crafted user name is used to trigger a block against a site chosen by the attacker.^[2] This was fixed in version 2.6.^[3]

Forks and descendants

Since there had been no further development by the original author Phil Schwartz after the release of version 2.6 (December 2006) and claimed version 2.7 (November 2008)^[4] for which no actual downloadable package is available,^[5] development was first continued in February 2012 by Matt Ruffalo in a GitHub repository.^[6] An independent and separate fork was started at the almost-identically named DenyHost SourceForge project site with the release of a different version 2.7 in May 2014.^[7] After version 2.9, the new SourceForge project has merged with the earlier GitHub repository,^[8] and newer versions are available via both means.

The software that runs the centralized synchronization server which DenyHosts versions 2.0 and above can use, has never been released. Independent synchronization server software has been developed by Jan-Pascal van Best since June 2015.^[9]

Related Research Articles

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP was designed by David L. Mills of the University of Delaware.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

The Berkeley r-commands are a suite of computer programs designed to enable users of one Unix system to log in or issue commands to another Unix computer via TCP/IP computer network. The r-commands were developed in 1982 by the Computer Systems Research Group at the University of California, Berkeley, based on an early implementation of TCP/IP.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

NX technology, commonly known as NX or NoMachine, is a proprietary cross-platform software application for remote access, desktop sharing, virtual desktop and file transfer between computers. It is developed by the Luxembourg-based company NoMachine.

WinSCP is a free and open-source SSH File Transfer Protocol (SFTP), File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol (SCP) client for Microsoft Windows. Its main function is secure file transfer between a local computer and a remote server. Beyond this, WinSCP offers basic file manager and file synchronization functionality. For secure transfers, it uses the Secure Shell protocol (SSH) and supports the SCP protocol in addition to SFTP.

Git is a distributed version control system that tracks changes in any set of computer files, usually used for coordinating work among programmers collaboratively developing source code during software development. Its goals include speed, data integrity, and support for distributed, non-linear workflows.

<span class="mw-page-title-main">LogMeIn Hamachi</span> Virtual private network application

LogMeIn Hamachi is a virtual private network (VPN) application developed and released in 2004 by Alex Pankratov. It is capable of establishing direct links between computers that are behind network address translation (NAT) firewalls without requiring reconfiguration. Like other VPNs, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network (LAN).

A password manager is a computer program that allows users to store and manage their passwords for local applications and online services like a web applications, online shops or social media. Password managers usually simplify authentication by reducing interaction from many steps like “recall-enter-submit” to one step “submit”.

This page is a comparison of notable remote desktop software available for various platforms.

Fail2ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent against brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

The following tables compare general and technical information for a number of notable network monitoring systems. Please see the individual products' articles for further information.

In FOSS development communities, a forge is a web-based collaborative software platform for both developing and sharing computer applications. The term forge refers to a common prefix or suffix adopted by various platforms created after the example of SourceForge. This usage of the word stems from the metalworking forge, used for shaping metal parts.

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

<span class="mw-page-title-main">Jenkins (software)</span> Open source automation server

Jenkins is an open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, ClearCase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands.

Google Authenticator is a software-based authenticator by Google that implements two-step verification services using the Time-based One-time Password Algorithm and HMAC-based One-time Password algorithm, for authenticating users of software applications.

Teleport is an open-source tool for providing zero trust access to servers and cloud applications using SSH, Kubernetes and HTTPS. It can eliminate the need for VPNs by providing a single gateway to access computing infrastructure via SSH, Kubernetes clusters, and cloud applications via a built-in proxy.

References

↑ John Leyden, Oracle refutes 'SSH hacking' slur. Mystery over bogus DenyHosts listing, 21 July 2007
↑ Daniel B. Cid, Attacking Log Analysis tools
↑ DenyHosts, Changelog
↑ DenyHosts, Changelog
↑ DenyHosts, SourceForge download folder
↑ DenyHosts GitHub repository initial commit; current status
↑ DenyHost.sf.net fork, Changelog
↑ DenyHost.sf.net News page
↑ DenyHosts_Sync GitHub repository initial commit; current status

General references

Carla Schroder, Linux Networking Cookbook, O'Reilly, 2007, pp. 223–226, ISBN 0-596-10248-8
Ken Leyba, Protect your server with Deny Hosts, 2008-01-28, Free Software Magazine issue 21
Daniel Bachfeld, 24 July 2009, Protecting SSH from brute force attacks. DenyHosts , H-online

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] John Leyden, Oracle refutes 'SSH hacking' slur. Mystery over bogus DenyHosts listing, 21 July 2007

[2] Daniel B. Cid, Attacking Log Analysis tools

[3] DenyHosts, Changelog

[4] DenyHosts, Changelog

[5] DenyHosts, SourceForge download folder

[6] DenyHosts GitHub repository initial commit; current status

[7] DenyHost.sf.net fork, Changelog

[8] DenyHost.sf.net News page

[9] DenyHosts_Sync GitHub repository initial commit; current status

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]