authfail - daemon to REJECT/DROP hosts doing "authentication failure"
DESCRIPTION
authfail is a program that goes with real time updating on FIFO file and adds IP into netfilter with DROP/REJECT policy in real time. The FIFO file is /dev/authfail. The rejected hosts database is located in /var/log/authfail. Each time a given host will do an "authentication failure" via syslog, authfail will count it. If this occure more than the parameters given to authfail, the given host will be REJECTED/DROPPED via Netfilter. Whois notification is possible.
DOWNLOAD
authfail-1.1.7.tgz
MD5SUM e02def27088eacb831f1cd32ada441bf
OPTIONS
authfail may be configured using the /etc/authfail.conf file.
LICENSE
The program is written under the GNU GPL Public License.
AUTHOR
This program was written by Bartek Krajnik bartek@bmk-it.com
NEXT RELEASE
Will contain white list. If you make a few login attempts (below forbidden tries) and login with a proper password then you will be added to whitelist IPs.
BUGS
Email bug reports to bartek@bmk-it.com. Be sure to include the word "authfail" somewhere in the "Subject:" field.
SEE ALSO
The program is documented fully by its author (see source code).
If You have apache2 2.0.52 You now have a problem:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

If You want to use authfail to secure Your web server, change the following in authfail.pl:
106 #Failed password for invalid user (.*) from (.*) port (.*)$
107 #Failed password for (.*) from (.*) port (.*)$
108 #authentication failed for user (.*) - (.*)$
109 #Illegal user (.*) from (.*)$
110 if( =~ /(Failed password for invalid user|Failed password for) (.*) from (.*) port (.*)$/
111 or
112 =~ /(authentication failed for user) (.*) - (.*)$/
113 or
114 =~ /(Illegal user) (.*) from (.*)$/) {
115 = $3;
116 if(update_failfile()) {
117 update_iptables();
for:
107 if( =~ /(.*) - - \[(.*)\] \"GET \/ HTTP\/1.0\" 400 226 \"-\" \"-\"$/) {
108 = $1;
109 if(update_failfile()) {
110 update_iptables();
SSHD
If You want to have Your sshd more secure change Your sshd_config file in 6 steps.
1. Disable ssh v1 access by changing:
#Protocol 2,1
Protocol 2
2. Disable root login (DANGEROUS):
PermitRootLogin no
3. Limit maximum authentication tries (should be one more than authfail setting to be able to catch and permanently block offenders):
MaxAuthTries 3
4. Only allow remote login from certain accounts, and deny all others:
AllowUsers user1 user2 user3
5. Disallow reading user's /.rhosts:
IgnoreRhosts yes
6. Disallow empty passwords:
PermitEmptyPasswords no

If this program helped you, I would be happy if you make me donation via PayPal:
Posiadamy kadrę z certyfikatami RHCE Jesteśmy certyfikowanym partnerem RedHat