Bounce-O-Matic 0.9 review
DownloadBounce-O-Matic reads through the system log files at a specified time interval (via cron) and finds unwanted attempted logons
|
|
Bounce-O-Matic reads through the system log files at a specified time interval (via cron) and finds unwanted attempted logons. Bounce-O-Matic writes these attempts out to an iptables drop file and emits a drop command to iptables.
Bounce-O-Matic is one solution to a common problem, namely, those hammering attacks that occur, at least occasionally, everywhere. The script tries to be as simple and as easy to use as possible while being versatile and extensible.The script was developed with the idea in mind of getting some immediate results from a basic setup of iptables, ssh, and Snort. This way attackus-interruptus can be achieved as soon as possible and the fancy rule development and firewall tweaking can be done at your leisure, or not at all if this script suits the bill.
At the moment the script only checks two log files, but it could do more, and it handles the following cases, but it could do more :
ssh : invalid user login
ssh : failed user login
ssh : root user login
snort : mysql root user login
snort : portscan (log only)
ftp : admin ; administrator login
ftp : root login
Bounce-O-Matic is written in bash. It is not as elegant as it potentially could be, it does not handle connection attempts (only login attempts), it is not a great example of superstar coding, and it probably will not win any prizes for forwarding the causes of world peace or saving the environment, however, it does get the job done!
Once installed, the script needs very little attention, allowing you to go about your business and stop worrying about attackers.
The script aims to be a fire-and-forget type of solution as well as a good solid first line of defense.
Bounce-O-Matic uses commonly available system utilities to accomplish its task.
awk, grep, sort, uniq, date, cat
and makes use of the following other utilities :
iptables :
this needs to be running, or you won't be able to drop anything.
sshd :
as long as the daemon is running, it defaults to logging AUTH to syslog. So even if you don't use Snort, you can still catch the invalid and failed and root user logon attempts that happen here.
Snort :
I happen to be using Snort version 2.3.3 and logging is being directed to the system log facility
output alert_syslog: LOG_AUTH LOG_ALERT
where the above line turns on the output directive in the snort config file.
What's New in This Release:
This release adds bounce protection for ftp admin and root login attempts.
Bounce-O-Matic 0.9 keywords