Daemon Shield 0.4.0 review

by rbytes.net on

Find IPs of crackers and kiddies attempting to break in

License: GPL (GNU General Public License)
File size: 0K
Developer: Chuck Sharp
0 stars award from rbytes.net

Find IPs of crackers and kiddies attempting to break in. Creates iptables rules to block attackers' IPs for a specified period of time.

It works by using handlers which are created to watch for attacks against a given service, such as ssh, telnet, ftp, etc. The handlers can be enabled or disabled on a case-by-case basis.

Each handler defines its logfile, search pattern, trigger threshold, and method of determing attacking IPs. When a list of IPs to be dropped is created, it uses a customizable iptables rule to block those IPs from any type of connection to the host.

After the given blocktime, the iptable rule is deleted. The handlers only looks at the logfile's lines that are within a given window of time, from the present till a user-definable amount of seconds back in time.

Currently, ssh and pam modules are functional and enabled by default. The pam handler watches for any "authentication failure" lines and operates accordingly, so it should block any attacks against pam-enabled service.

Here are some key features of "Daemon Shield":
Creates iptables log & reject rules against attacker's IPs.
Background daemon continuously watches logfiles for activity.
Logs to syslog.
Modular attack monitors, easy to extend to other services.
Block rules expire after specified period of time.
Blocklist file also serves as log for blocklist activity.
Email notification for IP block rule creation.
Retains blocklists from one process to the next.
Iptable rules are dynamic. They dissappear when the daemon stops and are reloaded when the daemon restarts.
Only 1 instance of daemonshield will run at one time.

Daemonshield requires Python 2.3 or greater. It also requires iptables, and therefore will only work on linux kernels 2.4 or greater.


1. To install the files for this program, run the following commands as root:

make install

2. Edit /etc/sysconfig/iptables

2a. Add the following line to the list of iptables chains:
:Kiddies - [0:0]

2b. Add the following lines to the end of the file:
-A Kiddies -j LOG --log-level info --log-prefix "Dropped IP: " -m limit --limit 1/m
-A Kiddies -j DROP

3. Edit daemonshield.conf to your taste

4. To run daemonshield upon startup and shutdown (on redhat systems, anyway),

touch /var/lock/subsys/daemonshield
chkconfig --levels=345 daemonshield on

5. To start the daemon, run '/etc/init.d/daemonshield start'

Daemon Shield 0.4.0 search tags