BruteBlock 0.0.5 review

BruteBlock project allows system administrators to block various bruteforce attacks on UNIX services

License:	BSD License
File size:	24K
Developer:	Alex Samorukov

BruteBlock project allows system administrators to block various bruteforce attacks on UNIX services. The program analyzes system logs and adds attacker's IP address into ipfw2 table effectively blocking them.

Addresses are automatically removed from the table after specified abound of time. Bruteblock uses regular expressions to parse logs, which gives flexibility allowing it to be used with almost any network service. Bruteblock is written in pure C, doesn't use any external programs and works with ipfw2 tables via raw sockets API.

Installation:
To compile the program run `make` in bruteblock directory. After compilation, copy bruteblock and bruteblockd files into system binary directory (/usr/local/sbin). Copy bruteblock-ssh.conf into directory where configuration files are located (/usr/local/etc) and edit it to make it suit your needs. Edit /etc/syslog.conf and add the following entry:

auth.info;authpriv.info |exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock-ssh.conf

then restart syslogd (/etc/rc.d/syslogd restart). Run bruteblockd, specifying the same ipfw2 table number as in config file (with -t parameter, e.g. '# /usr/local/bin/bruteblockd -t 1'). Finally, add ipfw rules to block any packets from addresses that match the table, like this:

${fwcmd} add deny ip from me to table(1)
${fwcmd} add deny ip from table(1) to me

Now bruteblock will do it's job.

Configuration:
Configuration file for bruteblock utility allows you to set following values:

regexp - regular expression in perl-compatible format that is used to extract failed password attempts from log files.

"regexp0","regexp1",... "regexp9" - optional fields with up to 10 additional regular expressions. max_count, within_time - defines time interval and maximum number of failed password attempts during that interval. If the number is exceeded by specific IP, that IP is blocked.

reset_ip - time-to-live of a block. When it expires, address is removed from table, thus becoming unblocked.

ipfw2_table_no - number of ipfw2 table to add bad IPs to. Must match -t parameter of bruteblockd.

Requirements:
FreeBSD
PCRE

What's New in This Release:
A configuration file was added for the proftpd daemon.
max_count processing was fixed.
sshd regular expressions are now more strict.

BruteBlock 0.0.5 screenshot
Zoom

BruteBlock 0.0.5 search tags

BruteBlock 0.0.5: BruteBlock project allows system administrators to block various bruteforce attacks on UNIX services
LMF 0.5: LMF project is a flexible log monitoring framework that allows the user to match text from log files, using perl regular expressions
IServerd 2.4.14: IServerd is an ICQ server for Unix. Installation: First of all you'll need to install Postgres SQL server
sshutout 1.0.3: sshutout is a daemon that periodically monitors log files, looking for multiple failed login attempts via the Secure Shell daemon.
BlockHosts 1.0.4: BlockHosts is a script to record how many times "sshd" or "proftpd" is being attacked, and when a particular IP address exceeds a con
DenyHosts 2.6: DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks. If you've ever looked a
RegexSearch 1.2: RegexSearch is a Java application that performs find and find-and-replace searches for regular expressions on multiple text files.

BruteBlock 0.0.5 review

Alternative/similar