The light service to manage suspicious hosts. This repository contains:
-
hosts-monitor-service : the main service to ban the suspect per hour.
-
hosts-monitor : user command to do the following actions:
log: list logs in hosts-monitor.reportshow: show ips' statusban: ban/unban specific ips manually (root only)service: stop/start/restarthosts-monitor-serviceservice (root only)rule: set allow/deny rules to hosts-monitor-servicestat: statistics of ip (1) login times (2) login username (3) current status in report
-
config : the configure file including the report path, and allow/deny rules; split into 3 parts:
[env] # some environment variables to define # default: # REPORT_LOC=/opt/hosts-monitor # REPORT_NEW=/etc/ssh/sshd_banner # DEBUG_MODE=0 # PASSWD_RETRY=2 [allow] # login pattern always be ignored to ban [deny] # login pattern for connection denied
Edit this file if you need.
-
INSTALL :
- Default installation directory:
INSTALL_DIR=/opt/hosts-monitor - Default service path:
SERVICE=/etc/cron.hourly/hosts-monitor-service
- Default installation directory:
$ sudo ./INSTALLor change the installation path:
$ INSTALL_DIR=/opt/HM SERVICE=/etc/cron.daily ./INSTALL$ cd $INSTALL_DIR
$ ./uninstall
Backup reports ? [Y/n] n
rm: remove 1 argument recursively? y
Uninstall completely.- list/search log
$ hosts-monitor log # show today's log
$ hosts-monitor log \(root\|admin\) # show log which contains `root` or `admin`
$ hosts-monitor log --status ban # show the ban list
$ hosts-monitor log --help- show ip status
$ hosts-monitor show 114.89.62.1 # show 114.89.62.1 status
$ hosts-monitor show --help- ban/unban ip [root only]
$ sudo hosts-monitor ban 1.1.1.1 # add 1.1.1.1 into /etc/hosts.deny
$ sudo hosts-monitor ban 1.1.1.1 2.2.2.2 # allow multiple ips
$ sudo hosts-monitor ban -m 'BruteForce' 1.1.1.1 2.2.2.2 # add description(no space) about ips
$ sudo hosts-monitor unban 2.2.2.2 # remove 2.2.2.2 from /etc/hosts.deny
$ hosts-monitor ban --help- control
hosts-monitor-service[root only]
$ sudo hosts-monitor-service stop # disable hosts-monitor-service
$ sudo hosts-monitor-service restart # enable hosts-monitor-service and run it
$ hosts-monitor-service --help- add allow/deny rules for
hosts-monitor-service[root only]
$ sudo hosts-monitor rule --set-deny test user # login with `test` or `user` will be rejected
$ sudo hosts-monitor rule --remove root # cancel this rule
$ sudo hosts-monitor rule --show # show all rules
$ hosts-monitor rule --helpType hosts-monitor help for more description.
Welcome to raise the issue if you found bugs or have any problem when using this tools. 😄
- (profile) textcolor only works when $TERM=xterm
- (hosts-monitor-service) remove
$refused_ipto avoid the too long argument inawk
-
stat: summary the ip (1) login times (2) login username (3) current status in report - (show)
--oneline: show ip status in one-line -
(show)--status: show ban list (like$ fail2ban-client status sshd+ tree) - (log)
--tmp: print short-report - (log)
--time <time1>,<time2>: search time range to - (ban) check
fail2banand unban - (ban
-m) enable to comment a sentence - (rule
--check) check the pattern status with current rules - (service) using
journalctlto catch log - (service) add argument: BruteForce-Trying times
- (INSTALL,uninstall,profile,config) change report path, change install-directory path, add DEBUG mode
- (ban) ban comment prompt ; unban bugs
- (hosts.deny) the comment prompt `#' caused error: /etc/hosts.deny, line 1577: bad option name: .... warning message because of the symbol `:' in the comment message
- (service) ban ips excluding `refused connect from ...' in /var/log/auth.log
- (log) fix
-Sproblem - (show) comments in similiar case disappear
- Merge hosts-monitor & hosts-monitor-service (saved in
/opt/hosts-monitor) - Ban-Rule add: username
- Always-Allow: ip @ /etc/hosts.allow
- show the /etc/hosts.deny status