FreeBSD brute-force detector

hello

after searching without sucess for a Brute-force Detector for FreeBSD and getting more than 2000 tries some days, I decided to write a simple one... in fact, I mean very very simple... but seens to be efficient... it will extract lines auth.log that contains "fail" or "incorrect" words and try to find an IP on this lines
so it doesn't need modules for each service... it's pretty generic

at this time it's not blocking the IP (cause I read an ipfw manual in 2 minutes and don't have enough knowledge to write some good rules... if anyone wants to contribute.. FreeBSD brute-force detector )

i'll later add an (optional) E-Mail notification when someone gets blocked
and it needs an "unblock after X minutes"

Code: 
#!/usr/bin/perl

# by Luís Fernando Estrozi - lemon@ ]at[ grad.icmc.usp [dot] .br

$logfile='/var/log/auth.log';
$allowedattempts = 20;          #must be smaller than 100000

#####below are not implemented yet
$minuteslocked = 120;
$mailnotify = 'root'; #leave blank for no notification
#####

open(LOG, $logfile);

%ip=();
while(<LOG>) {
        if ((/fail/i) || (/incorrect/i)) {
                ($a,$b,$c,$d) = /\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b/;
                if ($a) {
                        $thisip = $a . "." . $b . "." . $c . "." . $d;
                        $ip{$thisip}++;

                        if (($ip{$thisip} > $allowedattempts) && ($ip{$thisip} < 100000)) {
                                $ip{$thisip} = 100001; #mark as processed

                                #probably some basic checks like IP different from localhost, 127.0.0.1 or some machine's IP
                                #just printing at this time
                                print "/sbin/ipfw -q deny all from $thisip to any\n";
                        }
                }
        }
}

 

 

 

 

Top