Daemon Shield
What is Daemon Shield?
Daemon Shield finds IPs of crackers and kiddies attempting to break in. It creates
iptables rules to block attackers' IPs for a specified period
of time.
How does it work?
It works by using handlers which are created to watch for attacks
against a given service, such as ssh, telnet, ftp, etc. The handlers
can be enabled or disabled on a case-by-case basis. Each handler
defines its logfile, search pattern, trigger threshold, and method
of determing attacking IPs. When a list of IPs to be dropped is
created, it uses a customizable iptables rule to block those IPs
from any type of connection to the host. After the given blocktime,
the iptable rule is deleted. The handlers only looks at the logfile's
lines that are within a given window of time, from the present till
a user-definable amount of seconds back in time.
Currently, ssh and pam modules are functional and enabled by default.
The pam handler watches for any "authentication failure" lines and
operates accordingly, so it should block any attacks against pam-
enabled service.
Features
- Creates iptables log & reject rules against attacker's IPs.
- Background daemon continuously watches logfiles for activity.
- Logs to syslog.
- Modular attack monitors, easy to extend to other services.
- Block rules expire after specified period of time.
- Blocklist file also serves as log for blocklist activity.
- Email notification for IP block rule creation.
- Retains blocklists from one process to the next.
- Iptable rules are dynamic. They dissappear when the daemon stops
and are reloaded when the daemon restarts.
- Only 1 instance of daemonshield will run at one time.
Download Daemon Shield
Daemonshield can be downloaded from https://sourceforge.net/projects/daemonshield/.
Requirements
Daemonshield requires Python 2.3 or greater. It also requires iptables,
and therefore will only work on linux kernels 2.4 or greater.
Installation
Straight from the INSTALL file:
1. To install the files for this program, run the following commands as root:
./configure
make install
2. Edit /etc/sysconfig/iptables
2a. Add the following line to the list of iptables chains:
:Kiddies - [0:0]
2b. Add the following lines to the end of the file:
-A Kiddies -j LOG --log-level info --log-prefix "Dropped IP: " -m limit --limit 1/m
-A Kiddies -j DROP
3. Edit daemonshield.conf to your taste
4. To run daemonshield upon startup and shutdown (on redhat systems, anyway),
touch /var/lock/subsys/daemonshield
chkconfig --levels=345 daemonshield on
5. To start the daemon, run '/etc/init.d/daemonshield start'
Copyright, License, and Disclaimer
This collective work is Copyright (C)2005 by Charles W. Sharp.
<chucksharp (at) yahoo.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 2.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA
Credits
This is based heavily on the concepts of the BFD shell scripts
by Ryan MacDonald [ryan@r-fx.org]. The ip blocking code is based
heavily on the drop-ip shell script from Steve Wampler.
Thanks to David Preston, Bob Carrigan, Rod Marten, Josh Brown,
and Doug Harper for testing and many great suggestions.
Author
Charles (Chuck) Sharp
chucksharp at yahoo.com