Daemon Shield

What is Daemon Shield?

Daemon Shield finds IPs of crackers and kiddies attempting to break in. It creates iptables rules to block attackers' IPs for a specified period of time.

How does it work?

It works by using handlers which are created to watch for attacks against a given service, such as ssh, telnet, ftp, etc. The handlers can be enabled or disabled on a case-by-case basis. Each handler defines its logfile, search pattern, trigger threshold, and method of determing attacking IPs. When a list of IPs to be dropped is created, it uses a customizable iptables rule to block those IPs from any type of connection to the host. After the given blocktime, the iptable rule is deleted. The handlers only looks at the logfile's lines that are within a given window of time, from the present till a user-definable amount of seconds back in time.

Currently, ssh and pam modules are functional and enabled by default. The pam handler watches for any "authentication failure" lines and operates accordingly, so it should block any attacks against pam- enabled service.

Features

Download Daemon Shield

Daemonshield can be downloaded from https://sourceforge.net/projects/daemonshield/.

Requirements

Daemonshield requires Python 2.3 or greater. It also requires iptables, and therefore will only work on linux kernels 2.4 or greater.

Installation

Straight from the INSTALL file:
1. To install the files for this program, run the following commands as root:

./configure
make install

2. Edit /etc/sysconfig/iptables

  2a. Add the following line to the list of iptables chains:
:Kiddies - [0:0]

  2b. Add the following lines to the end of the file:
-A Kiddies -j LOG --log-level info --log-prefix "Dropped IP: " -m limit --limit 1/m
-A Kiddies -j DROP

3. Edit daemonshield.conf to your taste

4. To run daemonshield upon startup and shutdown (on redhat systems, anyway),

touch /var/lock/subsys/daemonshield
chkconfig --levels=345 daemonshield on

5. To start the daemon, run '/etc/init.d/daemonshield start'

Copyright, License, and Disclaimer

This collective work is Copyright (C)2005 by Charles W. Sharp. <chucksharp (at) yahoo.com>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA

Credits

This is based heavily on the concepts of the BFD shell scripts by Ryan MacDonald [ryan@r-fx.org]. The ip blocking code is based heavily on the drop-ip shell script from Steve Wampler.

Thanks to David Preston, Bob Carrigan, Rod Marten, Josh Brown, and Doug Harper for testing and many great suggestions.

Author

Charles (Chuck) Sharp
chucksharp at yahoo.com