Re: New package: denyhosts

[Alex Lancaster <alexl users sourceforge net>]

>>>>> "JT" == Jason L Tibbitts  writes:

[...]

JT> BTW, I've found that after making this package that unfortunately
JT> DenyHosts doesn't really fit my requirements because it doesn't
JT> age out entries.  So a user unlucky enough to mistype his
JT> passwords five times in total from the same IP gets blocked,
JT> regardless of the frequency of the mistakes.  Crap.  

Yes, that's a drawback I agree, but I think this is true only if the
user makes the erroneous password within the lifetime of current log
file: /var/log/secure, i.e. before it is rolled over, right?

In other words if the logs are rolled over once a month, this means
that the IP will be blocked only if there is five erroneous logins
within that month.  It doesn't scan back through all the old logs
/var/log/secure.1 etc..., does it?  

I agree, however, that it should be "density-dependent", i.e. it
should block IPs that make many logins over a short (on order of
minutes) of activity, that's the usual pattern of ssh attacks, and it
should be more trigger-happy when blocking usernames that don't exist.

JT> So I have to decide whether to improve my Python by hacking on
JT> DenyHosts, to take the easy road and rewrite it in Perl.  Or, hey,
JT> I've been meaning to learn Ruby.

Please stick with Python, if you can... ;-) I'll be happy to look over
any Python patches.  What about the upstream author, is he actively
maintaining it?  I see some activity on the SourceForge mailing list.

Cheers,
Alex