Last week I was too lazy to learn how to make working Fail2Ban filters, It appears too hard. So I decided to do something easier and more lightweight.
git clone https://github.com/esoadamo/simple-guardian.git
cd simple-guardian
sudo ./install.shConfiguration file is located on /etc/simple-guardian/guardian.conf
Run it with simple-guarian --help
sudo ./install.sh update - updates only script, leaves all config unmodified
sudo ./install.sh crontab - schedules scanning every 10 minutes + sending logs every day at 18:00
Configuration file is located on /etc/simple-guardian/guardian.conf
Configuration file has two parts
Here are stored all variables that are same for every profile
MaxAttempts- how many attempts before IP gets blockedBlockCommand- command that gets executed to block IP. %IP% is replaced with blocked IPSendMail- mail address to which the log will be sent, if omitted then no email is ever sendMailCommand- command that gets executed to send email, uses parameters %SUBJECT%, %MESSAGE% and %TARGET_MAIL%, if omitted then no email is ever sendSaveBlocked- if not omitted, then here is saved list of blocked IPs, one per line
By default configuration has in-build profiles for OpenSSH server, dovecot and vsftpd
Every profile stars with its name [ProfileName]
Every profile should have defined it's log file with LogFile=
Then you have to specify filters
filters starts with >>
they are lines from log file, but all variables are replaced with %VariableName%
right now script recognizes this variables:
%USER%- username that was target of attack%IP%- attacking IP%D:M%- month in format Jan, Feb, ..., Dec%D:D%- day in month ( from 01 to 31 )%TIME%- time in format hours:minutes:seconds
Great! Do not hesitate and send them to me! I will be glad to implement them.