Bounce-O-Matic is a software that scans system log files periodically to identify unauthorized login attempts. It runs through cron and triggers alerts for any detected threats.
The software is developed with the idea of providing immediate results using a basic setup of iptables, ssh, and Snort. This way, attackus-interruptus can be achieved as soon as possible, and the fancy rule development and firewall tweaking can be done at your leisure or not at all if the script suits the bill.
At the moment, the script only checks two log files but could do more. It handles cases such as invalid user login, failed user login, root user login, mysql root user login, portscan (log only), admin, administrator login, and root login in ssh and ftp.
Bounce-O-Matic is written in bash and is not as elegant as it potentially could be. It only handles login attempts and is not a great example of superstar coding but gets the job done. Once installed, the script needs very little attention, allowing users to go about their business and stop worrying about attackers.
The software uses commonly available system utilities such as awk, grep, sort, uniq, date, cat and makes use of iptables, sshd, and Snort. Iptables needs to be running to drop anything, and sshd needs to be running to default log AUTH to syslog. Even if users do not use Snort, they can still catch the invalid and failed and root user logon attempts that happen in ssh. Users using Snort version 2.3.3 can direct logging to the system log facility output alert_syslog: LOG_AUTH LOG_ALERT by turning on the output directive in the Snort config file.
This release adds bounce protection for ftp admin and root login attempts. Bounce-O-Matic aims to be a fire-and-forget type of solution and a good solid first line of defense for users with busy schedules.
Version 0.9: N/A