Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Shell
Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
| Failed to load latest commit information. | |||
|
CHANGELOG | ||
|
|
LICENSE | ||
|
|
README | ||
|
|
README.es | ||
|
|
TODO | ||
|
|
banfromlog.sh | ||
|
|
firewall.db3 | ||
|
|
structure.mysql | ||
README
banfromlog: examines logs to prevent ssh brute force attacks
and forbids ips with many attempts to connect to your host at 22 port.
Copyright (C) 2005 Jose Sanchez <jose_at_serhost_dot_com>
INDEX
---------------------------------------------------------------------------
WHAT IS BANFROMLOG
WHY IS IMPORTANT?
HOW TO INSTALL
---------------------------------------------------------------------------
WHAT IS BANFROMLOG
==================
BanFromLog is a simple script to log any illegal user attempt of your
SSHD daemon from the auth.log file.
It logs those nasty ips to a database (defined by you) and you can call
to do this automatically by typing a line at the crond.
WHY IS IMPORTANT?
=================
Well is truth that if you have only an user, you don't need this but, when
you have hundreds or even thousands, users, many of them could have an insecure
password (even if you have warned them or have some special modification in the
passwd command to prevent this).
You can receive other kinds of attacks via SSH port from those IPS which first
attempted only a couple of illegal users. (illegal user: user that doesn't exists).
Your CPU can be slower with this kind of brute force attacks, even if you have put
a maximum attempts or whatever, because this kind of attacks are done with many "zoombies"
HOW TO INSTALL
==============
First you need MySQL or sqlite installed and root access
If you have MySQL allow one user to connect to localhost to a database without password,
then dit the banfromlog script and put that information: database used, username, host.
In the database, you need to create the structure defined on structure.mysql
Then edit banfromlog and remove this lines:
# Remove or comment this two lines AFTER CONFIGURING this script
echo "Configure me first!. Edit me and remove this comment to use me"
exit 0;
#************************************************
Call "banfromlog log2db" and "banfromlog protect" each hour with this line on the crontab:
First edit /etc/crontab
# nano /etc/crontab
Then add this lines
50 * * * * root /root/banfromlog log2db
55 * * * * root /root/banfromlog protect
Where /root/banfromlog is the path to the banfromlog script and 55 * is each hour at 55 minutes
I have configured it to run each 10 minutes and works fine
WARNING!!: If you have accepted traffic to 22 port in a previous line of your iptables rules, you must
be careful and correct this by hand (for example, delete all rules and execute them from the beginnig).
It depends on the configuration that you have. More information at: http://netfilter.org
WARNING2: BANFROMLOG WILL ALWAYS ADD ALL IPS TO IPTABLES, so, its recommended that you regenerate your firewall
with banfromlog in the middle. This is not a bug, it's a feature xD