IP Blocking Monitor

Introduction

IP Blocking Monitor is a security tool that analyses log entries to dynamically block IP addresses under certain conditions. The goal is to:

  • manage iptables automatically (i.e. no setup or maintenance required)
  • handle the common log file monitoring issues (saving file position, dealing with log rotation, etc...)
  • provide an easy way to write your own "handlers" for other log files. See the features section for existing examples.
  • work with other hosts running IP Blocking Monitor to maintain a shared list of banned IPs (blacklist).

Why is this useful? In my case I had a number of servers with public IPs accessible via SSH and I wanted to block brute force password attacks. The team I'm part of work remotely and not always from the same location, so it wasn't possible to restrict access to a specific set of IPs. One of the servers also runs a web service which has the same constraint and is also the target of numerous web server exploit attacks. Although there haven't been any successful break-in attempts I didn't want to wait until it happened before acting.

Although there are similar tools out there they seem to be pretty specific. For example SSH only. My requirements meant I had to consider other logs types such as for Apache and I wanted a way to share the blacklist between a number of hosts.

Requirements

  • Perl
  • iptables
  • runs as root (required to run iptables)
  • (multiple host sync only) ssh with a user that has RSA/DSA authentication enabled on all hosts (i.e. "authorized_keys").

Features

  • whitelist, these IPs are never banned
  • iptables is maintained automatically. i.e. script will add a blacklist chain and make sure it's in the input chain (if necessary), and also maintain the list of IPs in the blacklist chain.
  • script loads and saves it's config: list of banned IPs and log file positions.
  • blocked IPs expire out after 72hrs (configurable). We don't want the list to grow out of control for ever.
  • supports multiple log file handlers (see below).

Log Handlers

Please note this may not be suitable for your system as-is and may need editing (Perl code). The requirements for monitoring a log file are that you can match appropriate log entries and an IP address can be extracted from the entry.
ssh
Searches for "Failed password ... for <user> from <IP>" messages in /var/log/secure. Note this was written for use on RedHat machines and the log entry format and location may be different on different distributions and versions of SSH. Banning is based on the number of failed login attempts over a single sample period (10 secs), and over a rolling window (60 secs).
apache (access.log)
Banning is based on two methods. The first is similar to SSH except failed page requests (i.e. error code 4XX) are used. If too many of these come in then it's likely to be an attacker trying exploits. The second method looks for certain strings and bans immediately. For example, if your site doesn't use any PHP or JSP, then you can ban immediately based of requests coming in for pages ending in .php and .jsp. This handler would need to be tuned to your environment as the apache access log may be a different format, you may actually want PHP pages to work, etc...
multiple host sync
Provides a way for ipb-monitors running on multiple hosts to communicate. It's also a simple way for you to communicate with the tool. For example if you wanted to manually add or remove an IP from the blacklist.

Support

I'll help if I can.

Any code or documentation contributions are welcomed.

TODO

  • RPM and DEB packages
  • split config from script
  • prevent local IP blocking (i.e. remote sync only), useful in VM environments where host OS will be doing the blocking but you may still want to detect attacks on guest OSes.

Download

FilenameSizeDate
CHANGELOG 923  2006-03-12 16:22:22
README 4434  2006-03-12 16:18:30
ipb-monitor-0.3.tar.gz 202904  2006-03-12 16:18:35

previous releases