Bastille-Mon - Firewall Guardian
Purpose of this project:
Having a firewall is great - it keeps a track of internet users trying to access illegal ports on your server/desktop.
Problem here is that all it is doing is logging the attempted entry. this leaves your machine open to port scanners and those lifeless people who have no ambition besides trying to break into your server/desktop (for what ever reason).
So I decided to write a wrapper for my firewall to tail my messages file and for any ip that attempts more than 3 port connections to my server they will get blocked via iptables and added to a file so on firewall reload they remain locked out (eternal) no matter how trivial :) , it also sends email to abuse contact for IP complaining that their IP hitting the serevr with full report of their activity logs.
Changes I have seen prior to running bastille-mon
Port scanners used to get reported by PSAD-alert emails and you would see ip scanned 900 ports.
Now ips get reported and they hit 3 ports - hence the denial rule added by bastille-mon locks them out
I am pretty sure this will work with firewalls too - I just have not played around much - maybe the iptables rule might need changing to suite firewall
Download it here Bastille-Mon (ver 1.4.2)
BastilleMon(itor)
Free for all to use - the catch is you need linux -
this program is written in perl and requires a few perl modules:
File::Tail;
Sys::Syslog;
Net::SMTP;
Net::Whois::IP;
IPTables::IPv4;
all of the above will be auto installed
This works with Bastille firewall and stores various configuration in
/etc/Bastille
It can easily be modified to work with any firewall please read further down
look for configuration file :chain variable.
Running as a daemon it monitors /var/log/messages(configurable)
for bastille iptables dropped logs as well as PSAD scan alerts,
it has a threshold for TCP/UDP as well as PSAD (view cfg file).
It will block ip on iptables instantly, send email to abuse contact of IP
and store the even in /etc/Bastille/bastille-mon.run.
................................................................................
AFTER INSTALL
................................................................................
Once it is all installed please remember
to edit /etc/init.d/bastille-firewall (line 88) and add:
sh /etc/Bastille/bastille-mon.run
it will look like
......
start|restart|reload)
if [ $bretval -eq 0 ]; then touch $LOCKFILE; fi
sh /etc/Bastille/bastille-mon.run
......
once downloaded - run:
tar -xvzf bastille-mon-v1.0.tar.gz
cd bastille-mon-v1.0
./INSTALL.sh
This will install script as well as perl modules (if needed) please read below
................................................................................
Description of files installed.
................................................................................
Starting/Stopping :
/etc/init.d/bastille-mon.sh {start|stop}
Configuration File:
/etc/Bastille/bastille-mon.cfg
#Configuration File for bastille-mon
#Run this application as a daemon ? answer should be 1
daemonize = 1
#file being monitored - if u have firewall logs going to kern.log or syslog then change below
#please not messages also catches PSAD attempts which script recognises
watchfile = /var/log/messages
#max attempts on any unauthorised tcp port set to 2 or 3 attempts attempts per ip
#Define how sensitive you want your monitor to be [1 means 1 packet hitting port] [5 means after 5 attempts lock ip out and report it]
tcp_max = 3
#max attempts on any unauthorised udp port set to 2 attempts per ip
udp_max = 3
#psad attacks set to 1
psad_max= 1
#specific firewall rule iptables -L -n |more and view what chain does public block
#on bastille this is called PUB_IN as below
chain = PUB_IN
#your domain or servername
domain = mydomain.com
#your email address used when sedning out abuse emails
from = noreply@mydomain.com
#various configuration you need to define - known TCP/UDP and actual IP's not to monitor
knownhosts = /etc/Bastille/allowed-hosts
knowntcp = /etc/Bastille/allowed-tcp
knownudp = /etc/Bastille/allowed-udp
#bastille rules that this script logs to and bastille-firewall should load at startup.
cfgfile = /etc/Bastille/bastille-mon.run
#ports file used when sending out abuse
ports = /etc/Bastille/ports.txt
#bastille-mon log file - where all actions are logged
logfile = /var/log/fw-actioned.log
#Actual pid file for bastille-mon daemon
PIDFILE = /var/run/bastille-mon.pid
#System commands
iptables = /sbin/iptables
egrep = /bin/egrep
|
Allowed Hosts:
/etc/Bastille/allowed-hosts
This lets you define Work / Friends ips to ignore
as part of allowed-hosts /usr/local/bastille-mon/update-ignorelist.sh
is run each time bastille-mon is started.
This does a last and adds all ip's in last to allowed-host
if you wish to disable this feature comment out of /etc/init.d/bastille-mon.sh
or edit update-ignorelist and define last for a specific user or something i.e.
last freddie where freddie = useracount of person that logs in.
Trusted UDP/TCP Ports:
/etc/Bastille/allowed-udp
/etc/Bastille/allowed-tcp
Please ensure you put in port numbers one port per line
in the above files for any ports
that you may think are not a threat and you dont wish to ban IP's over.
In my case used to have tcp 8180 open in the past
and so search engines/results still hit it and I dont wish to report
users for doing this so 8180 is in my allowed-tcp file.
Log Files:
/var/log/fw-actioned.log
This is a result of all the blocks made by bastille-mon
/etc/Bastille/bastille-mon.run
Containts all iptables rules to be run when bastille-firewall is started
I have added a whole bunch of South East Asian Attackers listed in:
http://www.tatsukichi.gr.jp
feel free to wipe all this by running:
>/etc/Bastille/bastille-mon.run
(only before first usage unless you wish you own blocklist)
Latest Port Mapping:
/etc/Bastille/ports.txt
this uses wget to get latest version of ports.txt and used within email sent.
with details of what the port name is that was being hit.
Please run once in a blue moon (make sure you have wget installed)
or enable in startup script currently hashed out.
/usr/local/bastille-mon/get-latest-ports.sh
|