{"id":22045243,"url":"https://github.com/nigelhorne/sniff2ban","last_synced_at":"2025-05-08T07:50:43.373Z","repository":{"id":21574542,"uuid":"24894433","full_name":"nigelhorne/sniff2ban","owner":"nigelhorne","description":"Dynamically change firewall","archived":false,"fork":false,"pushed_at":"2025-05-06T14:16:16.000Z","size":557,"stargazers_count":4,"open_issues_count":0,"forks_count":9,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-05-06T15:37:53.314Z","etag":null,"topics":["ban-hosts","firewall","security"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nigelhorne.png","metadata":{"files":{"readme":"README","changelog":"ChangeLog","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2014-10-07T14:37:40.000Z","updated_at":"2025-05-06T14:16:21.000Z","dependencies_parsed_at":"2023-12-18T17:56:53.847Z","dependency_job_id":"fe49152e-8704-4833-9b45-0f5a6f5f1d7a","html_url":"https://github.com/nigelhorne/sniff2ban","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nigelhorne%2Fsniff2ban","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nigelhorne%2Fsniff2ban/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nigelhorne%2Fsniff2ban/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nigelhorne%2Fsniff2ban/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nigelhorne","download_url":"https://codeload.github.com/nigelhorne/sniff2ban/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253025335,"owners_count":21842409,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ban-hosts","firewall","security"],"created_at":"2024-11-30T13:12:21.868Z","updated_at":"2025-05-08T07:50:43.345Z","avatar_url":"https://github.com/nigelhorne.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"Sniff2ban scans traffic through a given interface for nasties by performing\nreal-time scanning of your network.\n\nSites can be whitelisted.\n\nUsage:\n\tsniff2ban [-d] [-k] [-s] [-t seconds] [-v] [-S program1] [-S program2...] [-w IPv4address1[/mask]] [-w IPv4address2[/mask]...] [-p pidfile] [-V] [-W] [ socket ] [ interface ]\n\n-d:\tBlock (iptables DROP) sites sending us malware\n-k:\tKill the program sending/receiving the malware (needs netstat which support -W)\n-m:\tWhen --enable-dovecot-scanning or --enable-ssh-scanning is given, this\n\t\tis the maximum number of incorrect password attempts. The\n\t\tdefault is 3.\n-p:\tWrite a pidfile for monit(1) or puppet(1)\n-S:\tDon't kill this program\n-s:\tDon't drop ourself (i.e. whitelist \"interface\")\n-t:\tConsider a connection to be closed after this number of seconds of\n\t\tinactivity have elapsed (default 60).  If you see a lot of\n\t\t'already exists' errors on the console you may like to consider\n\t\treducing this value, though don't reduce it too much or else\n\t\tyou could risk false negatives\n-T:\tTemporary directory\n-v:\tVerbose -vv for more verbosity\n-V:\tPrint the version of sniff2ban\n-w:\tDon't block (whitelist) this IP address\n-W:\tDon't scan whitelisted IP addresses\nsocket:\t\tMeans to talk to clamd: /full/path/name OR hostname:port, if\n\t\t\tnot given it is determined from clamd.conf, if that file\n\t\t\texists\ninterface:\tInterface to listen to (e.g. eth0), if not given we try to\n\t\t\tguess\n\nIf \"socket\" and/or \"interface\" aren't given it will take a guess, but it may\nget them wrong so it's best to be explicit. LIBPCAP is needed to guess the\ninterface.\n\nYou are urged to keep this product up-to-date.  The best way is to checkout the\nlatest version from the GIT repositary about once a day:\n\tgit clone https://github.com/nigelhorne/sniff2ban.git\n\nOn systems other than Linux you must use libpcap.  On Linux it's use is\nencouraged but not mandatory. To use LIBPCAP on Debian Linux you must first\ninstall the libpcap-dev package; on Fedora you must first install the\nlibpcap-devel package.\nIf you don't install it, you'll need to give the interface argument.\n\nOn Debian, netstat is provided by the net-tools package.\n\nTested on Linux2.6, FreeBSD7.0, Solaris10, OpenBSD4.2 and NetBSD4.0.\n\nOn Linux I have used both tinycc and gcc.\n\nTo build with tinycc:\n\tCFLAGS=\"-Wall -g -bt 20\" CPPFLAGS= CXXFLAGS= CC=tcc ./configure\n\tautomake --add-missing\n\tmake\n\tsudo make install\n\nOn Solaris10 I have used cc and gcc. You can get libpcap and lsof from\nhttp://www.sunfreeware.com/.\n\nWhitelisted IPs are tracked and reported.\n\nI put this into /etc/rc.local (212.159.0.0 is my ISP which houses secondary MXs\nso I don't want to blacklist it):\n\tsniff2ban -d -s -vv -w 212.159.0.0/19 -W /var/run/clamav/clamd.sock\u0026\n\nIf you're using TCP to connect to clamd you need to give a hostname:port pair,\ne.g. localhost:3310.\n\nWorks well with the Sanesecurity signatures to stop spammers, see\nhttp://www.sanesecurity.co.uk/. Very often, after a spam is sent a copy of the\nsame one is sent from the same client, sniff2ban will use your firewall to\nprevent that.\n\nSince the software plays around with system files you MUST run as root.\n\nTo enable HTTP scanning on Debian:\n\t./configure --enable-http-scanning=/etc/apache2/sites-enabled\n\nTo enable Dovecot scanning on Debian:\n\t./configure --enable-dovecot-scanning=/var/log/syslog\n\nThere is also an --enable-ssh-scanning option, however I suggest you do NOT\nenable it for now because the code hasn't been hardened or optimised.\n\t./configure --enable-ssh-scanning=/var/log/auth.log\n\nTo enable SMTP brute force detection (not currently implemented)\n\t./config --enable-smtp-scannint=/var/log/mail.log\n\nIf you see lots of send errors, the chances are that clamd is timingout. In\nthis case, increase ReadTimeout and CommandReadTimeout in clamd.conf to\n86400 (1 day) and restart clamd and sniff2ban.\n\nIf you can't get configure \u0026\u0026 make to work because of an autoconf issue,\ntry the following commands before rerunning configure:\n\tautoscan\n\taclocal\n\tautoheader\n\tautoconf\n\tautomake\n\tln -s /usr/share/automake-1.16/compile .\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnigelhorne%2Fsniff2ban","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnigelhorne%2Fsniff2ban","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnigelhorne%2Fsniff2ban/lists"}