jfsanchez/banfromlog
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
banfromlog: examines logs to prevent ssh brute force attacks
and forbids ips with many attempts to connect to your host at 22 port.
Copyright (C) 2005 Jose Sanchez <jose_at_serhost_dot_com>
INDEX
---------------------------------------------------------------------------
WHAT IS BANFROMLOG
WHY IS IMPORTANT?
HOW TO INSTALL
---------------------------------------------------------------------------
WHAT IS BANFROMLOG
==================
BanFromLog is a simple script to log any illegal user attempt of your
SSHD daemon from the auth.log file.
It logs those nasty ips to a database (defined by you) and you can call
to do this automatically by typing a line at the crond.
WHY IS IMPORTANT?
=================
Well is truth that if you have only an user, you don't need this but, when
you have hundreds or even thousands, users, many of them could have an insecure
password (even if you have warned them or have some special modification in the
passwd command to prevent this).
You can receive other kinds of attacks via SSH port from those IPS which first
attempted only a couple of illegal users. (illegal user: user that doesn't exists).
Your CPU can be slower with this kind of brute force attacks, even if you have put
a maximum attempts or whatever, because this kind of attacks are done with many "zoombies"
HOW TO INSTALL
==============
First you need MySQL or sqlite installed and root access
If you have MySQL allow one user to connect to localhost to a database without password,
then dit the banfromlog script and put that information: database used, username, host.
In the database, you need to create the structure defined on structure.mysql
Then edit banfromlog and remove this lines:
# Remove or comment this two lines AFTER CONFIGURING this script
echo "Configure me first!. Edit me and remove this comment to use me"
exit 0;
#************************************************
Call "banfromlog log2db" and "banfromlog protect" each hour with this line on the crontab:
First edit /etc/crontab
# nano /etc/crontab
Then add this lines
50 * * * * root /root/banfromlog log2db
55 * * * * root /root/banfromlog protect
Where /root/banfromlog is the path to the banfromlog script and 55 * is each hour at 55 minutes
I have configured it to run each 10 minutes and works fine
WARNING!!: If you have accepted traffic to 22 port in a previous line of your iptables rules, you must
be careful and correct this by hand (for example, delete all rules and execute them from the beginnig).
It depends on the configuration that you have. More information at: http://netfilter.org
WARNING2: BANFROMLOG WILL ALWAYS ADD ALL IPS TO IPTABLES, so, its recommended that you regenerate your firewall
with banfromlog in the middle. This is not a bug, it's a feature xD
About
Old script
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published