11
|
1 <reference>
|
|
2 <title>@PACKAGE@</title>
|
|
3 <partintro>
|
|
4 <title>Packages</title>
|
|
5 <para>The various source and binary packages are available at <ulink
|
19
|
6 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>
|
12
|
7 The most recent documentation is available at <ulink
|
|
8 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>
|
11
|
9 </para>
|
|
10 </partintro>
|
|
11
|
|
12 <refentry id="@PACKAGE@.1">
|
|
13 <refentryinfo>
|
36
|
14 <date>2007-11-08</date>
|
11
|
15 </refentryinfo>
|
|
16
|
|
17 <refmeta>
|
|
18 <refentrytitle>@PACKAGE@</refentrytitle>
|
|
19 <manvolnum>1</manvolnum>
|
|
20 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
|
|
21 </refmeta>
|
|
22
|
|
23 <refnamediv id='name.1'>
|
|
24 <refname>@PACKAGE@</refname>
|
|
25 <refpurpose>a simple adaptive firewall</refpurpose>
|
|
26 </refnamediv>
|
|
27
|
|
28 <refsynopsisdiv id='synopsis.1'>
|
|
29 <title>Synopsis</title>
|
|
30 <cmdsynopsis>
|
|
31 <command>@PACKAGE@</command>
|
|
32 <arg><option>-c</option></arg>
|
|
33 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg>
|
|
34 </cmdsynopsis>
|
|
35 </refsynopsisdiv>
|
|
36
|
|
37 <refsect1 id='description.1'>
|
|
38 <title>Description</title>
|
12
|
39
|
|
40 <para><command>@PACKAGE@</command> is a simple adaptive firewall. It
|
|
41 maintains the INPUT chain of the <citerefentry>
|
|
42 <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum>
|
|
43 </citerefentry> firewall set based on syslog entries. These syslog
|
|
44 entries are typically generated by your hardware firewall, but they
|
|
45 could come from any source. Any syslog entry that contains a host name
|
|
46 or ip address can be used as input to this package.</para>
|
11
|
47
|
12
|
48 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle>
|
|
49 <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files
|
|
50 to be monitored, and the regular expressions (<citerefentry>
|
|
51 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum>
|
|
52 </citerefentry>) to be applied to new lines in those files. Each
|
|
53 regular expression needs an index to specify the matching substring that
|
|
54 contains either an ip address or host name, and a bucket count which is
|
|
55 added to the leaky bucket for that ip address when a matching line is
|
|
56 read from that syslog file.</para>
|
11
|
57
|
12
|
58 <para>Each ip address has an associated leaky bucket, which leaks one
|
|
59 token per second. Once the bucket contains more than a configurable
|
|
60 threshold number of tokens, that ip address is added to the INPUT chain
|
|
61 with a DROP target. When the bucket is drained to zero, that ip address
|
|
62 is removed from the INPUT chain.</para>
|
|
63
|
|
64 <para>The discussion has focused on syslog files, but any ascii text
|
|
65 file can be used, so long as some other process appends lines to that
|
|
66 file, and those lines containing hostname or ip addresses can be matched
|
|
67 with some regular expression.</para>
|
|
68
|
|
69 <para>Considering syslog files in particular, these are normally rotated
|
|
70 via logrotate. <command>@PACKAGE@</command> properly detects and
|
|
71 handles this case by closing the old file, and reopening the newly
|
|
72 created file.</para>
|
11
|
73 </refsect1>
|
|
74
|
|
75 <refsect1 id='options.1'>
|
|
76 <title>Options</title>
|
|
77 <variablelist>
|
|
78 <varlistentry>
|
|
79 <term>-c</term>
|
|
80 <listitem>
|
|
81 <para>
|
|
82 Load the configuration file, print a cannonical form
|
|
83 of the configuration on stdout, and exit.
|
|
84 </para>
|
|
85 </listitem>
|
|
86 </varlistentry>
|
|
87 <varlistentry>
|
|
88 <term>-d <replaceable class="parameter">n</replaceable></term>
|
|
89 <listitem>
|
|
90 <para>
|
|
91 Set the debug level to <replaceable class="parameter">n</replaceable>.
|
|
92 </para>
|
|
93 </listitem>
|
|
94 </varlistentry>
|
|
95 </variablelist>
|
|
96 </refsect1>
|
|
97
|
16
|
98 <refsect1 id='usage.1'>
|
11
|
99 <title>Usage</title>
|
|
100 <para><command>@PACKAGE@</command> -d 2</para>
|
|
101 </refsect1>
|
|
102
|
16
|
103 <refsect1 id='configuration.1'>
|
11
|
104 <title>Configuration</title>
|
|
105 <para>
|
|
106 The configuration file is documented in <citerefentry>
|
|
107 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
|
12
|
108 </citerefentry>. Any change to the config file will cause it to be
|
|
109 reloaded within three minutes.
|
11
|
110 </para>
|
|
111 </refsect1>
|
|
112
|
24
|
113 <refsect1 id='todo.1'>
|
|
114 <title>TODO</title>
|
|
115 <para>
|
|
116 The following ideas are under consideration.
|
|
117 </para>
|
|
118 <para>
|
|
119 Add a configuration option for the iptables table name in the
|
|
120 pattern statement. This implies handling multiple tables, so each
|
|
121 table needs its own map of ip addresses and bucket values.
|
|
122 </para>
|
|
123 </refsect1>
|
|
124
|
16
|
125 <refsect1 id='copyright.1'>
|
11
|
126 <title>Copyright</title>
|
|
127 <para>
|
31
|
128 Copyright (C) 2007 by 510 Software Group <carl@five-ten-sg.com>
|
11
|
129 </para>
|
|
130 <para>
|
|
131 This program is free software; you can redistribute it and/or modify it
|
|
132 under the terms of the GNU General Public License as published by the
|
31
|
133 Free Software Foundation; either version 3, or (at your option) any
|
11
|
134 later version.
|
|
135 </para>
|
|
136 <para>
|
|
137 You should have received a copy of the GNU General Public License along
|
|
138 with this program; see the file COPYING. If not, please write to the
|
|
139 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
140 </para>
|
|
141 </refsect1>
|
31
|
142
|
|
143 <refsect1 id='version.1'>
|
|
144 <title>CVS Version</title>
|
|
145 <para>
|
|
146 $Id$
|
|
147 </para>
|
|
148 </refsect1>
|
11
|
149 </refentry>
|
|
150
|
|
151
|
|
152 <refentry id="@PACKAGE@.conf.5">
|
|
153 <refentryinfo>
|
36
|
154 <date>2007-11-08</date>
|
11
|
155 </refentryinfo>
|
|
156
|
|
157 <refmeta>
|
|
158 <refentrytitle>@PACKAGE@.conf</refentrytitle>
|
|
159 <manvolnum>5</manvolnum>
|
|
160 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
|
|
161 </refmeta>
|
|
162
|
|
163 <refnamediv id='name.5'>
|
|
164 <refname>@PACKAGE@.conf</refname>
|
|
165 <refpurpose>configuration file for @PACKAGE@</refpurpose>
|
|
166 </refnamediv>
|
|
167
|
|
168 <refsynopsisdiv id='synopsis.5'>
|
|
169 <title>Synopsis</title>
|
|
170 <cmdsynopsis>
|
|
171 <command>@PACKAGE@.conf</command>
|
|
172 </cmdsynopsis>
|
|
173 </refsynopsisdiv>
|
|
174
|
|
175 <refsect1 id='description.5'>
|
|
176 <title>Description</title>
|
|
177 <para>The <command>@PACKAGE@.conf</command> configuration file is
|
27
|
178 specified by this partial bnf description. The entire config file
|
|
179 is case sensitive. All the keywords are lower case.
|
|
180 </para>
|
11
|
181
|
|
182 <literallayout class="monospaced"><![CDATA[
|
27
|
183 CONFIG := {THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE}+
|
11
|
184 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE ";"
|
27
|
185 ADD-CMD := "add_command" IPT-CMD ";"
|
|
186 REM-CMD := "remove_command" IPT-CMD ";"
|
11
|
187 IGNORE := "ignore" "{" IG-SINGLE+ "};"
|
|
188 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS ";"
|
|
189 FILE := "file" FILENAME "{" PATTERN+ "};"
|
35
|
190 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};"
|
11
|
191 INDEX := "index" REGEX-INTEGER-VALUE ";"
|
29
|
192 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";"
|
35
|
193 MESSAGE := "message" REASON ";"
|
|
194 REASON := string to appear in syslog messages
|
27
|
195 IPT-CMD := string containing exactly one %s replacement token for
|
29
|
196 the ip address]]></literallayout>
|
11
|
197 </refsect1>
|
|
198
|
|
199 <refsect1 id='sample.5'>
|
|
200 <title>Sample</title>
|
|
201 <literallayout class="monospaced"><![CDATA[
|
|
202 threshold 550;
|
|
203
|
27
|
204 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
|
|
205 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
|
|
206
|
11
|
207 ignore {
|
|
208 127.0.0.0/8; // localhost
|
|
209 };
|
|
210
|
|
211 file "/var/log/cisco.log" {
|
|
212 pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
|
|
213 index 2; // zero based
|
|
214 bucket 200;
|
35
|
215 message "cisco firewall blocked packet";
|
11
|
216 };
|
|
217 };
|
|
218
|
|
219 file "/var/log/secure" {
|
|
220 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
|
|
221 index 1; // zero based
|
|
222 bucket 400;
|
35
|
223 message "ssh failed password";
|
11
|
224 };
|
|
225 pattern "sshd.*Failed password .* from (.*) port" {
|
|
226 index 1; // zero based
|
|
227 bucket 400;
|
35
|
228 message "ssh failed password";
|
|
229 };
|
|
230 };
|
|
231
|
|
232 file "/var/log/httpd/access_log" {
|
|
233 pattern "(.*) - - .* /cgi-bin" {
|
|
234 index 1; // zero based
|
|
235 bucket 400;
|
|
236 message "apache cgi-bin reference";
|
|
237 };
|
|
238 pattern "(.*) - - .*/index2.php" {
|
|
239 index 1; // zero based
|
|
240 bucket 400;
|
|
241 message "apache index2.php reference";
|
|
242 };
|
|
243 pattern "(.*) - - .*/main.php" {
|
|
244 index 1; // zero based
|
|
245 bucket 400;
|
|
246 message "apache main.php reference";
|
|
247 };
|
|
248 };
|
|
249
|
|
250 file "/var/log/maillog" {
|
|
251 pattern "lost input channel from .* \[(.*)\] .* after mail" {
|
|
252 index 1; // zero based
|
|
253 bucket 200;
|
|
254 message "sendmail spammer dropping connection";
|
|
255 };
|
|
256 };
|
|
257
|
|
258 file "/var/log/messages" {
|
|
259 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
|
|
260 index 1; // zero based
|
|
261 bucket 300;
|
|
262 message "ssh failed password";
|
|
263 };
|
|
264 pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
|
|
265 index 1; // zero based
|
|
266 bucket 300;
|
|
267 message "ssh failed password";
|
11
|
268 };
|
|
269 };]]></literallayout>
|
|
270 </refsect1>
|
|
271
|
31
|
272 <refsect1 id='version.5'>
|
|
273 <title>CVS Version</title>
|
|
274 <para>
|
|
275 $Id$
|
|
276 </para>
|
|
277 </refsect1>
|
|
278
|
11
|
279 </refentry>
|
|
280 </reference>
|