authfail - daemon to REJECT/DROP hosts doing "authentication failure"
DESCRIPTION
authfail is a program that goes with real time updating on FIFO file and adds IP into netfilter with DROP/REJECT policy in real time. The FIFO file is /dev/authfail. The rejected hosts database is located in /var/log/authfail. Each time a given host will do an "authentication failure" via syslog, authfail will count it. If this occure more than the parameters given to authfail, the given host will be REJECTED/DROPPED via Netfilter. Whois notification is possible.
DOWNLOAD
authfail-1.1.7.tgz
MD5SUM e02def27088eacb831f1cd32ada441bf
OPTIONS
authfail may be configured using the /etc/authfail.conf file.
LICENSE
Authfail program is written under the GNU GPL Public License.
In our offer you can buy packages which will support your servers regards international Black Listed Servers. You will have access to premium versions of programs.
NEXT RELEASE
Will contain white list. If you make a few login attempts (below forbidden tries) and login with a proper password then you will be added to whitelist IPs.
BUGS
Email bug reports to bugs@authfail.org. Be sure to include the word "authfail" somewhere in the "Subject:" field.
SEE ALSO
The program is documented fully by its author (see source code).
If You have apache2 2.0.52 You now have a problem:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

If You want to use authfail to secure Your web server, change the following in authfail.pl:
106 #Failed password for invalid user (.*) from (.*) port (.*)$
107 #Failed password for (.*) from (.*) port (.*)$
108 #authentication failed for user (.*) - (.*)$
109 #Illegal user (.*) from (.*)$
110 if( =~ /(Failed password for invalid user|Failed password for) (.*) from (.*) port (.*)$/
111 or
112 =~ /(authentication failed for user) (.*) - (.*)$/
113 or
114 =~ /(Illegal user) (.*) from (.*)$/) {
115 = $3;
116 if(update_failfile()) {
117 update_iptables();
for:
107 if( =~ /(.*) - - \[(.*)\] \"GET \/ HTTP\/1.0\" 400 226 \"-\" \"-\"$/) {
108 = $1;
109 if(update_failfile()) {
110 update_iptables();
SSHD
If You want to have Your sshd more secure change Your sshd_config file in 6 steps.
1. Disable ssh v1 access by changing:
#Protocol 2,1
Protocol 2
2. Disable root login (DANGEROUS):
PermitRootLogin no
3. Limit maximum authentication tries (should be one more than authfail setting to be able to catch and permanently block offenders):
MaxAuthTries 3
4. Only allow remote login from certain accounts, and deny all others:
AllowUsers user1 user2 user3
5. Disallow reading user's /.rhosts:
IgnoreRhosts yes
6. Disallow empty passwords:
PermitEmptyPasswords no