--- /dev/null
+This directory contains platform-specific Bansshee support files for Red Hat
+Enterprise Linux 5.4.
+
+ - configuration file:
+ - etc/bansshee.conf
+ - logwatch filter files:
+ - etc/logwatch/conf/services/bansshee.conf
+ - etc/logwatch/conf/services/secure.conf
+ - etc/logwatch/scripts/services/bansshee
+ - startup script:
+ - etc/rc.d/init.d/bansshee
+
+
+INSTALLATION
+
+To use the configuration file, copy it into the /etc directory:
+
+ sudo cp etc/bansshee.conf /etc/bansshee.conf
+
+To use the filter files, copy them to the appropriate directories:
+
+ sudo cp etc/logwatch/conf/services/* \
+ /etc/logwatch/conf/services/
+ sudo cp etc/logwatch/scripts/services/bansshee \
+ /etc/logwatch/scripts/services/
+
+To use the startup script, copy it to the /etc/rc.d/init.d directory:
+
+ sudo cp etc/rc.d/init.d/bansshee /etc/rc.d/init.d/
+
+Specify that the basshee service should be started at boot time:
+
+ sudo chkconfig bansshee on
+
+Confirm that the service will be started at boot:
+
+ sudo chkconfig --list bansshee
+
+Start the bansshee service if not already started:
+
+ sudo service bansshee start
+
+AUTHOR
+
+These RHEL 5.4 support files were prepared by Wincent Colaiuta
+(win@wincent.com).
--- /dev/null
+# To override a given setting uncomment the corresponding line (remove the # symbol that begins the line) and alter the setting
+# See the README file for detailed information about each setting.
+
+#
+# General settings
+#
+
+#our $permitted_illegal_user = 5; # number of invalid user attempts permitted from a single IP address before it gets blocked
+#our $permitted_incorrect_pass = 5; # number of incorrect pass attempts permitted from a single IP address before it gets blocked
+#our $unban_wait = 3600; # minimum number of seconds an IP must wait before it gets removed from the blocklist (1 hour)
+#our $grace_period = 3600; # number of seconds that must pass before prior invalid/incorrect attempt counts are reset (1 hour)
+#our $unblocking_interval = 300; # number of seconds between checks of the blocklist for removing old IPs (5 minutes)
+
+#
+# Platform specific settings: based on Red Hat Enterprise Linux 5.3
+#
+
+#our $logpath = '/var/log/secure'; # logfile to watch
+our $illegal_user_regex = 'sshd\[\d+\]: Failed password for invalid user (\S+) from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port \d+ ssh';
+our $incorrect_pass_regex = 'sshd\[\d+\]: Failed password for (\S+) from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) port \d+ ssh';
+#our $iptables = '/sbin/iptables'; # for manipulating the firewall
+#our $iptables_create = '-N BANSSHEE'; # iptables parameters for creating the BANSSHEE chain
+our $iptables_add = '-I INPUT -p tcp --dport ssh -j BANSSHEE'; # iptables parameters for adding the JUMP rule
+#our $iptables_remove = '-D INPUT -p tcp --dport ssh -j BANSSHEE'; # iptables parameters for removing the JUMP rule
+#our $iptables_flush = '-F BANSSHEE'; # iptables parameters for flushing the BANSSHEE chain
+#our $iptables_delete = '-X BANSSHEE'; # iptables parameters for deleting the BANSSHEE chain
+#our $id = '/usr/bin/id -u'; # for determing if running as root
+#our $log_facility :shared = 'authpriv'; # Bansshee messages logged to /var/log/secure
+
+1; # required end marker: do not delete this line
--- /dev/null
+Title = "Bansshee (secure-log)"
+
+# Logfile group
+LogFile = secure
+
+# only give lines pertaining to the bansshee service
+*OnlyService = bansshee
+*RemoveHeaders
--- /dev/null
+# Use this to ignore certain services in the secure log.
+# You can ignore as many services as you would like.
+# (we ignore sshd because its entries are processed by the sshd script)
+$ignore_services = sshd Pluto stunnel proftpd saslauthd imapd bansshee
--- /dev/null
+#!/usr/bin/perl
+
+use Socket;
+
+#
+# Storage
+#
+
+my %addresses;
+
+#
+# Functions
+#
+
+sub LookupIP($)
+{
+ my $ip = shift;
+ $name = $addresses{$ip};
+ return "$name [$ip]" if defined $name;
+ ($a1, $a2, $a3, $a4) = split /\./, $ip;
+ $name = gethostbyaddr(inet_aton($ip), AF_INET);
+ if ($name)
+ {
+ $addresses{$ip} = $name;
+ return "$name [$ip]";
+ }
+ else
+ {
+ return $ip;
+ }
+}
+
+sub SortIPAddresses
+{
+ ($a1, $a2, $a3, $a4) = split /\./, $a;
+ ($b1, $b2, $b3, $b4) = split /\./, $b;
+ ($a1 <=> $b1) || ($a2 <=> $b2) || ($a3 <=> $b3) || ($a4 <=> $b4);
+}
+
+#
+# Main
+#
+
+$detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};
+
+while (defined($line = <STDIN>))
+{
+ chomp($line);
+
+ if ($line =~ /Performing periodic check of blocked IPs list\./)
+ {
+ $periodicChecks++;
+ }
+ elsif ($line =~ /Bansshee startup\./)
+ {
+ $startups++;
+ }
+ elsif ($line =~ /Failed password attempt for user/)
+ {
+ $failedPasswords++;
+ }
+ elsif ($line =~ /Attempted connection with illegal user/)
+ {
+ $illegalUsers++;
+ }
+ elsif ($line =~ /Adding IP (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) to blocklist\./)
+ {
+ $additions{$1} += 1;
+ }
+ elsif ($line =~ /Removing IP (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) from blocklist\./)
+ {
+ $removals{$1} += 1;
+ }
+ elsif (($line =~ /Reading config file/) ||
+ ($line =~ /Daemonizing\./) ||
+ ($line =~ /Creating new BANSSHEE iptables chain\./) ||
+ ($line =~ /Adding JUMP rule \(redirects all SSH traffic to BANSSHEE chain\)\./) ||
+ ($line =~ /Tailing log:/) ||
+ ($line =~ /Removing JUMP rule from INPUT chain\./) ||
+ ($line =~ /Flushing BANSSHEE iptables chain\./) ||
+ ($line =~ /Deleting BANSSHEE iptables chain\./))
+ {
+ # ignore
+ }
+ else
+ {
+ push @unmatchedEntries, "$line\n";
+ }
+}
+
+if (($startups > 0) && ($detail >= 5))
+{
+ print "\nStart-ups: $startups time(s).\n";
+}
+
+if (($periodicChecks > 0) && ($detail >= 10))
+{
+ print "\nPeriodic checks: $periodicChecks time(s).\n";
+}
+
+if ($failedPasswords > 0)
+{
+ print "\nFailed password attempts: $failedPasswords time(s).\n";
+}
+
+if ($illegalUsers > 0)
+{
+ print "\nIllegal user attempts: $illegalUsers time(s).\n";
+}
+
+if (keys %additions)
+{
+ print "\nIPs added to blocklist:\n";
+ foreach $ip (sort { SortIPAddresses } keys %additions)
+ {
+ $host = LookupIP($ip);
+ print " $host : $additions{$ip} time(s).\n";
+ }
+}
+
+if (keys %removalss)
+{
+ print "\nIPs removed from blocklist:\n";
+ foreach $ip (sort { SortIPAddresses } keys %additions)
+ {
+ $host = LookupIP($ip);
+ print " $host : $additions{$ip} time(s).\n";
+ }
+}
+
+if ($#unmatchedEntries > 0)
+{
+ print "\n**Unmatched Entries**\n";
+ print @unmatchedEntries;
+}
+
+exit(0);
--- /dev/null
+#! /bin/bash
+#
+# banshee This script starts and stops the bansshee anti-SSH-dictionary-attack daemon
+#
+# chkconfig: - 50 50
+# description: bansshee monitors log files to detect SSH dictionary attacks and uses the iptables firewall to block attackers.
+
+# Source function library.
+. /etc/init.d/functions
+
+RETVAL=0
+
+start()
+{
+ echo -n $"Starting banshee: "
+ daemon /usr/local/sbin/bansshee
+ RETVAL=$?
+ echo
+ [ $RETVAL -eq 0 ] && /bin/touch /var/lock/subsys/bansshee
+ return $RETVAL
+}
+
+stop()
+{
+ echo -n $"Stopping banshee: "
+ killproc bansshee
+ RETVAL=$?
+ echo
+ [ $RETVAL -eq 0 ] && /bin/rm -f /var/lock/subsys/bansshee
+ return $RETVAL
+}
+
+restart()
+{
+ stop
+ start
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ reload)
+ restart
+ ;;
+ status)
+ status bansshee
+ ;;
+ condrestart)
+ [ -f /var/lock/subsys/bansshee ] && restart
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
+ exit 1
+esac
+
+exit $?
+