Bounce-O-Matic

Bounce-O-Matic

Index :

About
Requirements
Install
Download
Problems

about :

Bounce-O-Matic reads through the system log files at a specified time interval (via cron) and finds unwanted attempted logons, it writes these attempts out to an iptables drop file and emits a drop command to iptables.

Bounce-O-Matic is one solution to a common problem, namely, those hammering attacks that occur, at least occasionally, everywhere. The script tries to be as simple and as easy to use as possible while being versatile and extensible.The script was developed with the idea in mind of getting some immediate results from a basic setup of iptables, ssh, and Snort. This way attackus-interruptus can be achieved as soon as possible and the fancy rule development and firewall tweaking can be done at your leisure, or not at all if this script suits the bill.

At the moment the script only checks two log files, but it could do more, and it handles the following cases, but it could do more :

ssh : invalid user login
ssh : failed user login
ssh : root user login
snort : mysql root user login
snort : portscan (log only)
ftp : admin ; administrator login
ftp : root login

Bounce-O-Matic is written in bash. It is not as elegant as it potentially could be, it does not handle connection attempts (only login attempts), it is not a great example of superstar coding, and it probably will not win any prizes for forwarding the causes of world peace or saving the environment, however, it does get the job done!
Once installed, the script needs very little attention, allowing you to go about your business and stop worrying about attackers.

The script aims to be a fire-and-forget type of solution as well as a good solid first line of defense.

requirements :

Bounce-O-Matic uses commonly available system utilities to accomplish its task.

          awk,  grep,  sort,  uniq,  date,  cat

and makes use of the following other utilities :

iptables :
this needs to be running, or you won't be able to drop anything.

sshd :
as long as the daemon is running, it defaults to logging AUTH to syslog. So even if you don't use Snort, you can still catch the invalid and failed and root user logon attempts that happen here.

Snort :
I happen to be using Snort version 2.3.3 and logging is being directed to the system log facility

          output  alert_syslog:  LOG_AUTH  LOG_ALERT

where the above line turns on the output directive in the snort config file.

install :

Bounce-O-Matic needs to be run as root. This is because it needs to access the /var/log/syslog and /var/log/messages files to begin with, and it needs to access iptables at the end.

Install script? Not yet.

Install is a three step process :

1) Create the program directory that you want to run the program from, or just move the unpacked archieve to /var/log. The default is to use /var/log/bounce-o-matic ; then check the configuration section at the top of the program, however, the default values should be acceptable.
2) Set-up the appropriate cron command.
3) Copy the program to the cron location, or point the crontab line to the program location.

cron set-up :

          *  *  *  *  *  /usr/bin/run-parts  /etc/cron.constant  1>  /dev/null

where the line above is for Dillon's Cron. Note that the directory /etc/cron.constant is my name, change it to suit your system or else create that directory and place the Bounce-O-Matic program in there.

A more generic crontab line might look like this :

          *  *  *  *  *  root  /var/log/bounce-o-matic/Bounce-O-Matic.sh  1>  /dev/null

I am not 100% sure of this line, so double check it please.

download :

The archieve of Bounce-O-Matic is here.

The changelog of Bounce-O-Matic is here.

The latest version of Bounce-O-Matic is bounce_o_matic-0.9a.tar.bz2

problems :

What could possibly go wrong? ;-)

A note about remote root login :
If you are doing it, you shouldn't be. If you insist upon it, I can't guarantee that you won't bounce yourself if you make a typo.