BruteBlock 0.0.5 review

by on

BruteBlock project allows system administrators to block various bruteforce attacks on UNIX services

License: BSD License
File size: 24K
Developer: Alex Samorukov
0 stars award from

BruteBlock project allows system administrators to block various bruteforce attacks on UNIX services. The program analyzes system logs and adds attacker's IP address into ipfw2 table effectively blocking them.

Addresses are automatically removed from the table after specified abound of time. Bruteblock uses regular expressions to parse logs, which gives flexibility allowing it to be used with almost any network service. Bruteblock is written in pure C, doesn't use any external programs and works with ipfw2 tables via raw sockets API.

To compile the program run `make` in bruteblock directory. After compilation, copy bruteblock and bruteblockd files into system binary directory (/usr/local/sbin). Copy bruteblock-ssh.conf into directory where configuration files are located (/usr/local/etc) and edit it to make it suit your needs. Edit /etc/syslog.conf and add the following entry:; |exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock-ssh.conf

then restart syslogd (/etc/rc.d/syslogd restart). Run bruteblockd, specifying the same ipfw2 table number as in config file (with -t parameter, e.g. '# /usr/local/bin/bruteblockd -t 1'). Finally, add ipfw rules to block any packets from addresses that match the table, like this:

${fwcmd} add deny ip from me to table(1)
${fwcmd} add deny ip from table(1) to me

Now bruteblock will do it's job.

Configuration file for bruteblock utility allows you to set following values:

regexp - regular expression in perl-compatible format that is used to extract failed password attempts from log files.

"regexp0","regexp1",... "regexp9" - optional fields with up to 10 additional regular expressions. max_count, within_time - defines time interval and maximum number of failed password attempts during that interval. If the number is exceeded by specific IP, that IP is blocked.

reset_ip - time-to-live of a block. When it expires, address is removed from table, thus becoming unblocked.

ipfw2_table_no - number of ipfw2 table to add bad IPs to. Must match -t parameter of bruteblockd.


What's New in This Release:
A configuration file was added for the proftpd daemon.
max_count processing was fixed.
sshd regular expressions are now more strict.

BruteBlock 0.0.5 keywords