RWSecure application parses the /var/log/secure file for invalid usernames or failed passwords to help protect against brute force and similar attacks.
If there are more than three invalid or failed attempts by one IP, it will add that IP to your /etc/hosts.deny file.
Put this file in any directory of your choice and use the cron to run this program every
few minutes, hours, or days... adding this entry to your crontab will have it run every 5 minutes:
*/5 * * * * root /yourdirectory/rwsecure
This is just an example of a way to run it without user intervention.
Suggest you stop logging info level messages from auth, or log them in a seperate file, if you run this program every few minutes as misc cron messages can start to fill your logs.
Program will append to /etc/hosts.deny (however, this file can be changed by changing the variable in rwsecure, just vi rwsecure and make change the HostsDenypath to whatever you want)
Sample program output:
ALL: 188.8.131.52 # Added by rwsecure on Sep 17 18:18:01 2005
ALL: 184.108.40.206 # Added by rwsecure on Sep 18 04:42:01 2005
ALL: 220.127.116.11 # Added by rwsecure on Sep 18 06:22:01 2005
ALL: 18.104.22.168 # Added by rwsecure on Sep 19 04:26:01 2005
ALL: 22.214.171.124 # Added by rwsecure on Sep 21 09:26:01 2005
What's New in This Release:
· This release fixes a minor bug regarding how rwsecure adds information to the hosts.deny file.
· If you currently use rwsecure, it is recommended that you erase your current /etc/hosts.deny file (make sure it still exists, but that is empty).
· There are no other changes in this release.