Swatch

Introduction
Swatch is designed to watch system logs for particular strings and can react on them. Due to this swatch is able to protect SSHD from a brute force attack.

Installation
Swatch is included in portage so it is fairly straight forward to install

Setting up iptables
First we create a new iptables chain to store all the blocked ip's for easier removal if necessary, "swatch_rejects" where swatch (and only swatch) will append rules to.

Then we create an unconditional jump to this rule in your INPUT chain. I also place it at rule #5 in INPUT - below all of my own rules that accept my IP's (so you don't accidentally lock yourself out!)

Be sure to save your iptables setup, so these steps aren't necessary every time you reboot.

Now, to see what swatch has been doing to your firewall, simply do:

Swatch general configuration
You can edit general swatch parameters in the file. The only interesting information here is the name of the log file to tail

Swatch Rules
The main configuration file is. Here is a good example:

A little explanation of whats being done:

This is to ignore, in this case, a IP-range. Very useful to minimize the possibility that you lock yourself out.

watchfor /(: [iI]nvalid [uU]ser )(.*)( from )(.*)$/ watchfor /(: [fF]ailed password for )(.*)( from )(.*)( port )(.*)$/ watchfor /([aA]uthentication [fF]ailure for [iI]llegal [uU]ser )(.*)( from )(.*)$/

This is to search our logs for the string between //. The parens in the first watchfor are important - they break up the log file line into chucks that are used for $1,$2,$3, ... $n. In this case, for example, $1 is ": Invalid User "; $2 is all the junk in the first (.*); $3 is " from "; and $4 is all the junk in the second (.*) -- which happens to be the IP address you want. Note: the $ at the end signifies end of line. Also, note that the $4 works in both the first and third watchfor code block -- this is pure coincidence and you may need to change the $4 to a different paren set if you are working with your own custom watchfor block.


 * The "key" tell swatch how to identify the log line. We can't use the whole string here, because the same attacker (ie the same IP) will probably try multiple user names. The key can refer to one of the parens set in the search string (here, $4 = the IP).
 * The "threshold" is the number of times swatch need to see the "key" to execute the actions below.
 * The "delay" is the validity of each "key". When older that 'delay', the "key" is discarded. Use a syntax like HH:MM:SS.

Mail a user stating that a new rule has been added to iptables.

Add the offending ip to "swatch_rejects" and drop all future incoming packets from that address. If you are using shorewall, you can define in this way:

Starting Swatch
To start swatch:

Be sure to add it to you default runlevel (after you've tested things of course.)

Other Thoughts

 * This script didn't provide a way to purge iptables, require addition cron job to do the work. There is also risk of blowing up iptables under DDoS.
 * Swatch runs as perl5.8.6 in ps
 * See DenyHosts for a Python based solution which uses /etc/hosts.deny.