-
Notifications
You must be signed in to change notification settings - Fork 9
Dynamically change firewall
License
GPL-2.0 and 2 other licenses found
Licenses found
GPL-2.0
LICENCE
GPL-2.0
LICENSE
GPL-3.0
COPYING
nigelhorne/sniff2ban
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Sniff2ban scans traffic through a given interface for nasties by performing real-time scanning of your network. Sites can be whitelisted. Usage: sniff2ban [-d] [-k] [-s] [-t seconds] [-v] [-S program1] [-S program2...] [-w IPv4address1[/mask]] [-w IPv4address2[/mask]...] [-p pidfile] [-V] [-W] [ socket ] [ interface ] -d: Block (iptables DROP) sites sending us malware -k: Kill the program sending/receiving the malware (needs netstat which support -W) -m: When --enable-dovecot-scanning or --enable-ssh-scanning is given, this is the maximum number of incorrect password attempts. The default is 3. -p: Write a pidfile for monit(1) or puppet(1) -S: Don't kill this program -s: Don't drop ourself (i.e. whitelist "interface") -t: Consider a connection to be closed after this number of seconds of inactivity have elapsed (default 60). If you see a lot of 'already exists' errors on the console you may like to consider reducing this value, though don't reduce it too much or else you could risk false negatives -T: Temporary directory -v: Verbose -vv for more verbosity -V: Print the version of sniff2ban -w: Don't block (whitelist) this IP address -W: Don't scan whitelisted IP addresses socket: Means to talk to clamd: /full/path/name OR hostname:port, if not given it is determined from clamd.conf, if that file exists interface: Interface to listen to (e.g. eth0), if not given we try to guess If "socket" and/or "interface" aren't given it will take a guess, but it may get them wrong so it's best to be explicit. LIBPCAP is needed to guess the interface. You are urged to keep this product up-to-date. The best way is to checkout the latest version from the GIT repositary about once a day: git clone https://github.com/nigelhorne/sniff2ban.git On systems other than Linux you must use libpcap. On Linux it's use is encouraged but not mandatory. To use LIBPCAP on Debian Linux you must first install the libpcap-dev package; on Fedora you must first install the libpcap-devel package. If you don't install it, you'll need to give the interface argument. On Debian, netstat is provided by the net-tools package. Tested on Linux2.6, FreeBSD7.0, Solaris10, OpenBSD4.2 and NetBSD4.0. On Linux I have used both tinycc and gcc. To build with tinycc: CFLAGS="-Wall -g -bt 20" CPPFLAGS= CXXFLAGS= CC=tcc ./configure automake --add-missing make sudo make install On Solaris10 I have used cc and gcc. You can get libpcap and lsof from http://www.sunfreeware.com/. Whitelisted IPs are tracked and reported. I put this into /etc/rc.local (212.159.0.0 is my ISP which houses secondary MXs so I don't want to blacklist it): sniff2ban -d -s -vv -w 212.159.0.0/19 -W /var/run/clamav/clamd.sock& If you're using TCP to connect to clamd you need to give a hostname:port pair, e.g. localhost:3310. Works well with the Sanesecurity signatures to stop spammers, see http://www.sanesecurity.co.uk/. Very often, after a spam is sent a copy of the same one is sent from the same client, sniff2ban will use your firewall to prevent that. Since the software plays around with system files you MUST run as root. To enable HTTP scanning on Debian: ./configure --enable-http-scanning=/etc/apache2/sites-enabled To enable Dovecot scanning on Debian: ./configure --enable-dovecot-scanning=/var/log/syslog There is also an --enable-ssh-scanning option, however I suggest you do NOT enable it for now because the code hasn't been hardened or optimised. ./configure --enable-ssh-scanning=/var/log/auth.log To enable SMTP brute force detection (not currently implemented) ./config --enable-smtp-scannint=/var/log/mail.log If you see lots of send errors, the chances are that clamd is timingout. In this case, increase ReadTimeout and CommandReadTimeout in clamd.conf to 86400 (1 day) and restart clamd and sniff2ban. If you can't get configure && make to work because of an autoconf issue, try the following commands before rerunning configure: autoscan aclocal autoheader autoconf automake ln -s /usr/share/automake-1.16/compile .
About
Dynamically change firewall
Topics
Resources
License
GPL-2.0 and 2 other licenses found
Licenses found
GPL-2.0
LICENCE
GPL-2.0
LICENSE
GPL-3.0
COPYING
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published