Idea for a security program

David Kramer david at thekramers.net
Wed Dec 27 20:51:34 EST 2006


So when I rebuilt my server woth FC6, I decided to throw in a few extra
security programs.  I've been disappointed with some of them (both
chkrootkit and rkhunter seem to give lots of false positives I can't
configure out, for instance), but I *REALLY* liek denyhosts.  This
program monitors your /var/log/secure, and when it sees too many (for
configurable values of "too many") failed login attempts from an IP
address, it adds that IP address to /etc/hosts.deny.  But it even goes
further and timestamps the entries, removing them after a time so you
don't get 3 million entries which have long since given up on your
server.  It's da bomb.

I got the idea for a similar tool for things like users trying to relay
through my SMTP server and trying to email to random email addresses at
my dozen or so domain names.  Being me, I started planning a more
generalized program that can read in a configuration file with a logfile
filename to monitor, and a series of regular expressions that will match
lines from baddies, capturing the IP address from them, and adding them
to /etc/hosts.deny, just like denyhosts does.  You can do it for most
any service that way.

I already wrote the part that "tails" the file and looks for lines
matching a regex, copying the IP address from them.  Then I hit the DOH!
moment.  Postfix doesn't actually use /etc/hosts.deny (tcpwrappers).
That means I need a configurable action to take on matching records,
too.  I can add the IP address to /etc/postfix/access and rebuild the
database from it, but that means the baddies are still getting all the
way up to postfix and loading it, which I would rather not happen.  Or I
can block it from iptables, which is a bit of work too.

So,..
1) Does this sound like a useful thing?  Having a generic log-watching
program that can act upon IP addresses found on certain lines?

2) Does such a tool already exist?  It might be fun to write, but I have
better things to do with my time if one already exists.

3) Does something like this already exist for mail specifically, if a
generalized tool does not exist?

Thanks.

Oh, and if I do finish it, of course I'll GPL it.


PS: I'm sending this post 12/27/06 20:51:10.  Hopefully it will get
published by the new year ;)

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the Discuss mailing list