Parse the server auth logs and extracts the IP address with bad intentions and block it using iptables
- download this package
- place it somewhere safe, like root folder as you will be running this as root
- run composer,
php composer.phar install
- to install the packages/vendor - create a database in MySQL, let's say the name is
zeacurity
then import thedb.sql
file - copy
db.conf.json.sample
todb.conf.json
and edit the file to enter the DB credentials - optional: copy
whitelist.conf.json.sample
towhitelist.conf.json
and edit the file then define what IP addresses you want to whitelist or never add to blacklist - locate your firewall script (using iptables or see sample
firewall.sh.sample
) - add this line:
# {SSH_BLOCK_IPS}
-- means the Zeacurity will insert on that area (see samplefirewall.sh.sample
) - run the full scan, sample command below
- add it to the cron, sample below
php ./console.php [command-name] [params]
php {path}/console.php auth_blacklist --log-file=/var/log/auth.log --full-scan=y
php {path}/console.php append_blacklister --firewall-file=./firewall.sh
- for the auth.log scanner (
auth_blacklist
), recommend to run frequently like every 10-15 mins - while for the iptables generation, recommended an every hour or two
*/15 * * * * php {path}/console.php auth_blacklist --log-file=/var/log/auth.log --lines=1500 > /dev/null 2>&1
0 */2 * * * php {path}/console.php append_blacklister --firewall-file=./firewall.sh > /dev/null 2>&1
You can whitelist IP address to exempt from black listing. see whitelist.ip.json.sample
file and rename it as whitelist.ip.json
The db credentials where being stored in db.conf.json
(from db.conf.json.sample
)
- Ubuntu 20.x