AuthWatch - Watch and block failed/invalid logins.

With permission from Julian Field I've modified his IPBlock custom module used for MailScanner (www.mailscanner.info) to create a small IDS utility. The original idea came from Craig Dibble.

Using swatch to monitor the output of the syslog facility auth/authpriv for failiures/invalid users (or text strings which can be configured in swatch) containing the IP address of the offending attacker. The log line is passed to the script which will extract the ip address from the line and compare to to a database file it maintains. When recorded IP address exceeds a configured threshold it is added using IPTables as a (configurable) filter rule.

By default all traffic is dropped from that host as they are most likely up to no good and will possibly attempt other ways to gain access to your machine. By configuring the swatch.rc file it is theoretically possible to send the script lines from any source therefore expanding the scope to block hosts based on other authentication mechanisms or log output. For example failed logins from ssh, ftp, any pam module or a particular snort trigger. Examples in the script show how to set it up and was initially intended for blocking ssh failiures.

It requires these packages:

syslog (erm)
swatch swatch.sourceforge.net
2.4 or 2.6 linux kernel with Netfilter, IPtables configured.
IPTables::IPv4 perl module (Important see note in script).
Net::IP perl module.
Net::CIDR perl Module.
AnyDBM_File perl module.

You can get it here:

authwatch.pl (First revision).

To do:

It records a time stamp when the host was added so later I will add a cron cleanup script.
A script to list the contents of the db.
A script to restore IPs back into the chains after a reboot or other reloading of the firewall configuration.

Enjoy!

Matt Baker Oct 2004 - released under an Artistic License