Sentry
From The Network People, Inc.
Contents |
NAME
sentry - safe and effective protection against bruteforce attacks
SYNOPSIS
sentry --ip=N.N.N.N [ --connect | blacklist | whitelist | delist ] sentry --report [--verbose --ip=N.N.N.N ] sentry --help
ADDITIONAL DOCUMENTATION
DESCRIPTION
Sentry is designed to detect and prevent bruteforce attacks against your SSH and other daemons. It does so using minimal system resources.
SAFE
Using other bruteforce blockers, I've found myself blocked out of my systems. To prevent that, Sentry manages a whitelist of IPs that have connected more than 3 times and succeeded at least once.
Never again will that forgetful colleague behind the office NAT router get us locked out of our system. Nor the admin in the next cube, whose script just failed to login 7 times in a row.
Sentry includes support for adding IPs to your firewall (IPFW, PF, ipchains). Firewall support is disabled by default. This is because firewall rules may terminate your existing session(s) to the host (attn IPFW users). It is best to get your IPs whitelisted before enabling the firewall options.
SIMPLE
Sentry has an extremely simple database for tracking IPs. This makes it very easy for administrators to view and manipulate the database using external tools including shell commands and scripts. See the EXAMPLES section below.
FLEXIBLE
Sentry supports blocking connection attempts using tcpwrappers and several popular firewalls. It is very easy to extend sentry to support additional blocking lists.
Sentry was written specifically to protect the SSH daemon but anticipating use with other daemons. SMTP support is planned. As this was written, the primary attack platform in use is no longer compromised servers, but bot nets comprised of exploited PCs on high-speed internet connections. These bots are used for carrying out SSH attacks as well as spam delivery. Blocking a bot kills two birds with one stone.
The programming style of sentry makes it (I hope) obvious where you'd drop in a line of code to call additional methods that suit your needs.
EFFICIENT
Many of the bruteforce blocking apps (denyhosts, fail2ban, sshdfilter) expect to run as a daemon, tailing a log file. That requires an interpreter to be running, which consumes at least 10MB of RAM. This is not an issue for a dedicated server but imagine a hardware node with dozens of virtual private servers. That hardware node loses hundreds of megs to daemon protection.
Sentry uses resources only when connections are made. Since invoking a perl interpreter is somewhat expensive, sentry will also include a shell script that handles the connect phase. This will eliminate the need to fire up an interpreter for the vast majority of connections.
The shell script is also resource friendly. For most connections, it will append a timestamp to a file, stat for the presense of another file and exit.
REQUIRED ARGUMENTS
- ip
- An IPv4 address. The IP should come from a reliable source that is difficult to spoof. Tcpwrappers is an excellent source. UDP connections are a poor source as they are easily spoofed. The log files of TCP daemons can be good source if they are parsed carefully to avoid log injection attacks.
All actions except report and help require an IP address. The IP address can be manually specified by an administrator, or preferably passed in by a TCP server such as tcpd (tcpwrappers), inetd, or tcpserver (daemontools).
OPTIONS
- blacklist
- deny all future connections
- whitelist
- whitelist all future connections, remove the IP from the blacklists, and make it immune to future connection tests.
- delist
- remove an IP from the white and blacklists. This is useful for testing that sentry is working as expected.
- connect
- register a connection by an IP. The connect method will log the attempt and the time. If the IP is white or blacklisted, it will exit immediately.
- Next, it checks to see if it has seen the IP more than 3 times. If so, check the logs for successful, failed, and naughty attempts from that IP. If there are any successful logins, whitelist the IP and exit.
- If there are no successful logins and there are naughty ones, blacklist the IP. If there are no successful and no naughty attempts but more than 10 connection attempts, blacklist the IP. See the NAUGHTY section below.
EXAMPLES
HOME GATEWAY
$ /var/db/sentry/sentry.pl -r -------- summary --------- 204 unique IPs have connected 4766 times 139 IPs are blacklisted 3 IPs are whitelisted
EUROPEAN DNS MIRROR
$ /var/db/sentry/sentry.pl -r -------- summary --------- 90 unique IPs have connected 458 times 48 IPs are blacklisted 3 IPs are whitelisted
SHELL COMMANDS
View the total number of connections:
cat /var/db/sentry/seen/*/*/*/* | wc -l
57
the number of unique IPs that have connected:
ls /var/db/sentry/seen/*/*/*/* | wc -l
4
the timestamps for every connection 10.0.1.193 made:
for ts in `cat /var/db/sentry/seen/10/0/1/193`; do date -r $ts; done Wed Feb 25 20:18:55 PST 2009 Wed Feb 25 20:18:57 PST 2009 .... Wed Feb 25 21:18:45 PST 2009
check if 10.0.1.193 is whitelisted
test -f /var/db/sentry/white/10/0/1/193 && echo yes yes
NAUGHTY
Sentry has flexible rules for what constitutes a naughty connection. For SSH, attempts to log in as an invalid user are considered naughty. For SMTP, the sending of a virus, or an email with a high spam score could be considered naughty. See the configuration section in the script related settings.
CONFIGURATION AND ENVIRONMENT
There is a very brief configuration section at the top of the script. Once your IP is whitelisted, update the booleans for your firewall preference and Sentry will update your firewall too.
Sentry does NOT make changes to your firewall configuration. It merely adds IPs to a table/list/chain. It does this dynamically and it is up to the firewall administrator to add a rule that does whatever you'd like with the IPs in the sentry table.
I use the sentry IP table like so with PF:
table sentry persist block in quick from <sentry_blacklist>
That blocks all connections from anyone in the sentry table.
DIAGNOSTICS
Sentry can be run with --verbose which will print informational messages as it runs.
DEPENDENCIES
Sentry uses only modules built into perl. Additional modules may be used in the future but Sentry will not depend upon them. In other words, if you extend Sentry with modules are aren't built-ins, also include a fallback method.
BUGS AND LIMITATIONS
There are no known bugs. The IPFW and ipchains code is not tested as I don't use either of them (any more). Report problems to author.
AUTHOR
Matt Simerson (msimerson@cpan.org)
ACKNOWLEDGEMENTS
Those who came before me: denyhosts, fail2ban, sshblacklist, et al
LICENCE AND COPYRIGHT
Copyright (c) 2009 The Network People, Inc. (info@tnpi.net).
This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See perlartistic.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
