Reply With QuoteGood idea.Originally Posted by thE_29
I prefer shell script to do that job as it can be modified any time
and code is open source.
Could you rewrite your program as a shell script ?
Darius
Senior Member
vsftpd banner
Well!
Since some months, a guy is annoying me. Or lets say, my vsftpd server!
He tries to login at my ftp server via bruteforce attack.
So i build a programm (c++) to ban such attempts!
It can be downloaded at ftp://ipkg:ipkg@the29.ath.cx/vsftpd_banner_thE29.ipk
(just ipkg install url)
It installs a binary file to /opt/bin called vsftpd_banner
When you start the program, it waits for NEW log lines at /opt/var/log/vsftpd.log (you can change this via parameter).
If the line contains FAIL LOGIN it parses out the IP + username. If the same IP was not able to login after 3 attempts, it bans the IP.
The auto release is after 10 minutes.
Most of these parameters you can change.
Just say vsftpd_banner --help to show the parameter.
I start the program this way: "vsftpd_banner -lf:/opt/var/log/ban_vsftpd.log &"
So the program logs to ban_vsftpd.log (all other things are default).
Here is my log from yesterday:
The ban is not just for ftp! It bans the complete traffic from this IP via iptables.Wed Sep 17 01:43:37 2008: Failed login attempt: Wed Sep 17 01:43:36 2008 [pid 6862] [Administrator] FAIL LOGIN: Client "87.241.52.130"
Wed Sep 17 01:43:37 2008: New Fail user registered: Administrator IP: 87.241.52.130
Wed Sep 17 01:43:40 2008: Failed login attempt: Wed Sep 17 01:43:39 2008 [pid 6862] [Administrator] FAIL LOGIN: Client "87.241.52.130"
Wed Sep 17 01:43:40 2008: Found user: Administrator with IP: 87.241.52.130 and error cnt 1 in list!
Wed Sep 17 01:43:40 2008: Raise user error count(2): 87.241.52.130[Administrator]
Wed Sep 17 01:43:42 2008: Failed login attempt: Wed Sep 17 01:43:41 2008 [pid 6862] [Administrator] FAIL LOGIN: Client "87.241.52.130"
Wed Sep 17 01:43:42 2008: Found user: Administrator with IP: 87.241.52.130 and error cnt 2 in list!
Wed Sep 17 01:43:42 2008: Raise user error count(3): 87.241.52.130[Administrator]
Wed Sep 17 01:43:42 2008: BAN this ass with IP: 87.241.52.130
Wed Sep 17 01:53:45 2008: UNBAN user (Administrator) with IP: 87.241.52.130
Senior Member
Good idea.
I prefer shell script to do that job as it can be modified any time
and code is open source.
Could you rewrite your program as a shell script ?
Darius
Senior Member
Well, i had a shell Script but the problem is to get noticed when the logfile grows and which lines are new!
With version 1.1 i will release the source code too (be sure, there is no callback or virus in it).
The version 1.1 will resets the error count when the users(IP) login is successfully!
Edit: Here is the source: http://code.google.com/p/vsftpd-banner/
Last edited by thE_29; 17-09-2008 at 12:57.
Senior Member
It doesn't matter if you run a script at time / as cron jobWell, i had a shell Script but the problem is to get noticed when the logfile grows and which lines are new!
With version 1.1 i will release the source code too (be sure, there is no callback or virus in it
The version 1.1 will resets the error count when the users(IP) login is successfully!
Edit: Here is the source: http://code.google.com/p/vsftpd-banner/
or run a program
to learn logfile size or what lines are new.
With file size and file date you can discover any size increase.
Running monitor daemon with properly set refresh time
you can get what you need -
latest lines in logfile
and with grep
if the new lines are relevant in your case.
And you still have control over your friend, who has forgotton password.
Yahoo implemented many such automagically run scripts
and sending e-mail to yourself, sometimes get it delivered into
spam folder of your mailbox.
Darius
Senior Member
Well, my program is just running
The main problem is, that you have to know which lines are new! So you have to count the old lines and compare it to the amount of the old lines.
In here is the problem! My log files are sometimes bigger then 100MB and every (my program refreshes every 2.5 seconds) 2.5s reading a complete file to get the amount of the lines, isnt very clever
So i decided to write a program (at least my job is software designer, i knew what i was doing
Member
can you make a sort how-to also ?
Senior Member
I will make one at the weekend, because i am travelling to den haag for some days!
Be back at weekend.
Junior Member
I tried to use your program, since I don't like other people to sniff around my files, and I think it is a good idea to keep them from trying. When I check the log made by your application, it reports:
Wed Sep 24 17:25:01 2008: Startup: Wed Sep 24 17:25:01 2008
Wed Sep 24 17:25:01 2008: /opt/var/log/vsftpd.log 718026656
Wed Sep 24 17:25:01 2008: Could not open /opt/var/log/vsftpd.log!
Aborting...
Probably I made some stupid mistake. I think vsftpd_banner can open the log file, since it writes to it, however it is aborting....
Perhaps a note in the manual you are making could help me?
Thanks for your efforts and making them available to the board,
Ecori
Senior Member
@ecori: Your log file size is ~684MB?
Maybe moving the old one and try a smaller one would avoid this problem!
But i wonder why it should be a problem... I will test it with such a file.
@lordu: I hope i have time today, to make a howto!
Senior Member
As i have not much time the last days here are some news:
.) vsftpd_banner is not anymore
.) log_banner is a new project which has more features
-> can read /tmp/syslog.log
-> can watch for more programs in one log
-> can also read the vsftpd.log
The program is working. But parsing the conf file is a little problem. So i hope i have enough time this week, to finish it!
I also will give a HowTo for the log_banner.
Here is the source: http://code.google.com/p/log-banner/
Posting Permissions