Puffy Denies [Them]

PuDe - How it works?

PuDe is a ksh script. It constantly reads /var/log/authlog and analyzes it. Every failed attempt to log in is analyzed. There are three categories of failed attempts:

1. Failed password for root account
2. Invalid user
3. Failed password for user account

Failed attempts for every category is saved in log files. PuDe saves IP address of the machine from which the attempt occurred. The log files are as follows:

1. /var/log/pude.root
2. /var/log/pude.invalid
3. /var/log/pude.failed

Additionally following log files are used:

1. /var/log/pude.block - block list
2. /var/log/pude.timestamp - time stamp file

PuDe uses numbers of temporary log files:

1. /var/log/pude.ctl - ctl interface and block temporary file
2. /var/log/pude.uniq - temporary file
3. /var/log/pude.all - temporary file
4. /var/log/pude.current - temporary file

Since v0.1.3 PuDe uses list of trusted hosts instead of AEH variable. The list is in the file: /var/log/pude.fair.

If number of failed attempts in any category for given IP exceeds defined threshold the IP is blocked.

PuDe blocks IPs by adding them to pf table pude. To block the IPs additional configuration of pf is required as described in configuration section.

Any host listed in /var/log/pude.fair file is never blocked.