Daemon Shield is a Linux intrusion prevention daemon that scans for brute-force breakin attacks in realtime and uses iptables to create rules that block the attackers' IP addresses for a configurable period of time. It uses handlers that watch for attacks against given services, such as ssh, telnet, ftp, etc. Daemon Shield is highly configurable through a central configuration file. It loads existing blocklist rules into iptables on startup and removes the blocklist rules when it shuts down. Other major features include background daemon operation, logging to syslog, easy-to-extend handlers, configurable block duration, and email notifications.
This is the initial public release of Daemon Shield. It works well in the environments that it's been tested in, which currently include RHEL ES 4, CentOS 4, and RHEL ES 3 with Python 2.3 installed. Currently, ssh and pam handlers are functional and enabled by default. The pam handler should block any attacks against pam-enabled services. A handler for Apache is planned for future releases.