Hi folks, happy new year!
I saw a couple of month ago, a new awesome tool on GitHub: Maltrail.
This tool will help us to create a autoban script for known attackers or suspicous client.
Maltrail will listen all the incoming traffic to analyse it and detect malicious traffic.
We will need Fail2ban installed of course. The blog post will not explain how to install it.
To properly run the Maltrail, Python 2.6.x or 2.7.x is required, together with pcapy.
sudo apt-get install python-pcapy git clone https://github.com/stamparm/maltrail.git cd maltrail sudo python sensor.py
Setup WEB server (optionnal)
# /etc/fail2ban/filter.d/maltrail.conf [Definition] failregex = ^.*hostname\.com <HOST> \d+ x\.x\.x\.x .*(attacker|scanner|reputation).* ignoreregex =
You have to replace "hostname.com" with your server hostname and x.x.x.x with your server IP.
This filter will search for known attacker, scanner, and bad reputation client in the Maltrail log.
If you only want to watch a specific port, you can edit the filter and replace \d+ expression with your port number.
# /etc/fail2ban/jail.conf [maltrail] enabled = true filter = maltrail logpath = /var/log/maltrail/*-*-*.log port = all banaction= iptables-allports port = anyport maxretry = 1 bantime = 864000
Here I setup an high ban time but you can change it.
As a bonus, here is my custom jail for the shrunk window attack.
# /etc/fail2ban/filter.d/shrunk-window.conf [Definition] failregex = Peer <HOST>\:.* unexpectedly shrunk window.*repaired+ ignoreregex =
# /etc/fail2ban/jail.conf [shrunk-window] enabled = true filter = shrunk-window logpath = /var/log/kern.log port = all banaction= iptables-allports port = anyport maxretry = 1 bantime = 864000