https://github.com/rodan/laboule

the iptables chain manager for impolite IPs
https://github.com/rodan/laboule

linux linux-application

Last synced: about 1 month ago
JSON representation

the iptables chain manager for impolite IPs

• Host: GitHub
• URL: https://github.com/rodan/laboule
• Owner: rodan
• Created: 2013-02-12T14:22:05.000Z (about 12 years ago)
• Default Branch: master
• Last Pushed: 2021-09-24T13:15:53.000Z (over 3 years ago)
• Last Synced: 2025-01-25T13:07:11.088Z (3 months ago)
• Topics: linux, linux-application
• Language: Shell
• Homepage:
• Size: 32.2 KB
• Stars: 1
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README

Awesome Lists containing this project

README

        

 * description

  laboule - the iptables chain manager for impolite IPs

  this daemonized bash script performs the following tasks:

  - binds itself to a unix socket and listens for 'ban' and 'count' commands

  - log parsers decide if an IP has performed an illegal operation 

  and send a row to that socket:

  IP PROFILE COMMAND WHATEVER_EXTRA_INFO

  IP        can either be ipv4 or ipv6

  PROFILE   is a user-defined string (see /etc/laboule/laboule.conf)

  COMMAND   is one of 'count' or 'ban'

  WHATEVER_EXTRA_INFO will be logged into /var/log/laboule/

  for the count command:

  if an IP is counted more than $PROFILE_ban_excuses times in an 

  interval of $PROFILE_ban_period seconds it will be banned for 

  N * $PROFILE_deny_buffer_period minutes, where N is how many times

  this ban has happened in the past for this IP

  for the ban command:

  the IP is outright banned for 

  N * $PROFILE_deny_buffer_period minutes, where N is how many times

  this ban has happened in the past for this IP

  in the case of laboule-tarpit the use scenario is equivalent, however 

  the IP does not receive a DROP rule, but a REDIRECT to another port 

  where a tarpit/honeypot is listening. 

  ipv6 has not been thoroughly tested with laboule-tarpit.

  syncronous syslog parsing is also available, see laboule_syslog_parser.sh

  for an example

 * dependencies

   - iptables (with optional ipv6 support)

   - a tmpfs in /dev/shm for quick activity searches

   - daemontools (used by the sample init scripts and for logging) - optional

   - daemontools-scripts (used by laboule --start) - optional

   - logsentry (used by some of the sample log parsers) - optional

   - conntrack-tools (used by one of the sample log parsers) - optional

   - any firewall software can be used, provided that some glue logic is provided:

      after firewall (re)start the following scripts are run:

        /usr/bin/laboule --init

        /usr/bin/laboule-tarpit --init

        /usr/bin/laboule --init6

        /usr/bin/laboule-tarpit --init6

        (run only those that apply in your use case)

        (these end up in /etc/shorewall*/start if shorewall is used)

      and make sure you locate the proper parent chain (calling_chain) into which

       laboule will inject it's logic (example laboule*.confs work with shorewall)

  Author:          Petre Rodan <[email protected]>

  Available from:  https://github.com/rodan/laboule

  License:         BSD