Logwatcher

Sick of having thousands of failed login attemps, apache probes, etc on your server. This script will ban these people when this type of activity is detected.

The logwatcher.pl script is a simple script that will periodically check your log file for what you deem to be abuse and will ban ip addresses using iptables. I say you deem, because this script is shipped with a limited number of rules just to give you an idea of how to configure the script. The good thing about this script is that you don't have to change any of your servers configuration to use it, all you have to do is insert it in the crontab. I have mine on a 1 minute cronjob. Now the bad things about this script, it does not monitor the logs in real-time, there can be up to a minute delay from when the abuse occured till when the ip address has been banned. Also due the nature of this script, it may not be suitable for high traffic servers, due to all the regex that is done. But having said this it does not look at the same line in a log file more then once.


Installation

  1. Download the logwatcher.pl and rules.conf files.
  2. Copy these files to a new home:
    $ su
    # mkdir /opt/logwatcher
    # cp logwatcher.pl /opt/logwatcher
    # cp rules.conf /opt/logwatcher
    # chmod +x /opt/logwatcher/logwatcher.pl
    				
  3. Create a firewall chain to hold the banned rules. This chain must be inserted as the first entry of your INPUT chain.
    # iptables -N Firewall-1-Banned
    # iptables -I INPUT 1 -j Firewall-1-Banned
    				
  4. Create the crontab entry:
    # crontab -e
    And insert the following line, this will make the script run once a minute
    */1 * * * * /opt/logwatcher/logwatcher.pl
  5. Logwatcher will now run once a minute, with the default rules. You should now change the rules to suit your needs. See the configuation section below.


Configuation

To configure the logwatcher you just have to edit the rules.conf file. This file is just a JSON hash and has the following format:

{
	"iptables_chain": "Firewall-1-Banned",
	"allowed_ips": [
		"127.0.0.1",
		...
	],
	"/var/log/messages": [
		{
			"name": "purftpd - failed login",
			"date_format": "syslog",
			"rule": "^(\\w{3} \\d+ \\d{2}:\\d{2}:\\d{2}) \\w+ pure\\-ftpd: .....",
			"format": "date_ip_message",
			"threshold": 5,
			"action": "ban",
			"ban_time": 21600
		},
		...
	],
	"/var/log/httpd/*-access_log": [
		...
	]
	...
}
		


Resetting the Systems State

If for any reason you want iptables and logwatcher to forget everything its ever known. You can do the following to restore your servers boot iptables configuration and remove the logwatcher.pl state configuration file.

$ su
# cd /opt/logwatcher
# rm save_state.conf
# iptables --flush
# /etc/init.d/iptables restart
The last line may differ depending on how you reload your iptables configuration.