Logwatcher

Sick of having thousands of failed login attemps, apache probes, etc on your server. This script will ban these people when this type of activity is detected.

The logwatcher.pl script is a simple script that will periodically check your log file for what you deem to be abuse and will ban ip addresses using iptables. I say you deem, because this script is shipped with a limited number of rules just to give you an idea of how to configure the script. The good thing about this script is that you don't have to change any of your servers configuration to use it, all you have to do is insert it in the crontab. I have mine on a 1 minute cronjob. Now the bad things about this script, it does not monitor the logs in real-time, there can be up to a minute delay from when the abuse occured till when the ip address has been banned. Also due the nature of this script, it may not be suitable for high traffic servers, due to all the regex that is done. But having said this it does not look at the same line in a log file more then once.

Installation

1. Download the logwatcher.pl and rules.conf files.
2. Copy these files to a new home:

   $ su
   # mkdir /opt/logwatcher
   # cp logwatcher.pl /opt/logwatcher
   # cp rules.conf /opt/logwatcher
   # chmod +x /opt/logwatcher/logwatcher.pl
   				

3. Create a firewall chain to hold the banned rules. This chain must be inserted as the first entry of your INPUT chain.

   # iptables -N Firewall-1-Banned
   # iptables -I INPUT 1 -j Firewall-1-Banned
   				

4. Create the crontab entry:

   # crontab -e

   And insert the following line, this will make the script run once a minute

   */1 * * * * /opt/logwatcher/logwatcher.pl

5. Logwatcher will now run once a minute, with the default rules. You should now change the rules to suit your needs. See the configuation section below.

Configuation

To configure the logwatcher you just have to edit the rules.conf file. This file is just a JSON hash and has the following format:

{
	"iptables_chain": "Firewall-1-Banned",
	"allowed_ips": [
		"127.0.0.1",
		...
	],
	"/var/log/messages": [
		{
			"name": "purftpd - failed login",
			"date_format": "syslog",
			"rule": "^(\\w{3} \\d+ \\d{2}:\\d{2}:\\d{2}) \\w+ pure\\-ftpd: .....",
			"format": "date_ip_message",
			"threshold": 5,
			"action": "ban",
			"ban_time": 21600
		},
		...
	],
	"/var/log/httpd/*-access_log": [
		...
	]
	...
}
		

• The iptables_chain hash key allows you to specify the iptables chain to add drop rules to.
• The allowed_ips hash key allows you to define a list of ip address that no matter what they do, will never get banned. It is handy to put your ip address in here, just in case. All the other hash keys should be log filenames to be checked.
• Each log filename key requires an array of rules
• An '*' can be used to run a set of rules on multiple log files
• The rule's date_format specifies the format of the date in the log file
• The rule's rule is a regex string that must return the date, ip address and message for an offending log entry
• The rule's format specifies the order of which the date, ip address and message are returned from the regex rule
• The rule's threshold the number of times this ip address must do this to cause action getting taken
• The rule's action what sort of action should be taken, currently only 'ban' is supported
• The rule's ban_time how long the ip address should be banned for, in seconds

Resetting the Systems State

If for any reason you want iptables and logwatcher to forget everything its ever known. You can do the following to restore your servers boot iptables configuration and remove the logwatcher.pl state configuration file.

$ su
# cd /opt/logwatcher
# rm save_state.conf
# iptables --flush
# /etc/init.d/iptables restart

The last line may differ depending on how you reload your iptables configuration.