Information Gathering Network Security Password Attacks Web Application

Sentry – Bruteforce Attack Blocker

Sentry can detects and prevents bruteforce attacks against sshd using minimal system resources.

Synopsis:

Safe

  • To prevent inadvertant lockouts, Sentry manages a whitelist of IPs that have connected more than 3 times and succeeded at least once. Never again will that forgetful colleague behind the office NAT router get us locked out of our system. Nor the admin whose script just failed to login 12 times in 2 seconds.
  • Sentry includes support for adding IPs to a firewall. Support for IPFW, PF, ipchains is included. Firewall support is disabled by default. This is because firewall rules may terminate existing session(s) to the host (attn IPFW users). Get your IPs whitelisted (connect 3x or use –whitelist) before enabling the firewall option.

Simple

  • Sentry has an extremely simple database for tracking IPs. This makes it very easy for administrators to view and manipulate the database using shell commands and scripts. See the EXAMPLES section.
    Sentry is written in perl, which is installed everywhere you find sshd. It has no dependencies. Installation and deployment is extremely simple.

Flexible

  • Sentry supports blocking connection attempts using tcpwrappers and several popular firewalls. It is easy to extend sentry to support additional blocking lists.
  • Sentry was written to protect the SSH daemon but anticipates use with other daemons. SMTP support is planned. As this was written, the primary attack platform in use is bot nets comprised of exploited PCs on high-speed internet connections. These bots are used for carrying out SSH attacks as well as spam delivery. Blocking bots prevents multiple attack vectors.
  • The programming style of sentry makes it easy to insert code for additonal functionality.

Efficient

  • The primary goal of Sentry is to minimize the resources an attacker can steal, while consuming minimal resources itself. Most bruteforce blocking apps (denyhosts, fail2ban, sshdfilter) expect to run as a daemon, tailing a log file. That requires a language interpreter to always be running, consuming at least 10MB of RAM. A single hardware node with dozens of virtual servers will lose hundreds of megs to daemon protection.
  • Sentry uses resources only when connections are made. The worse case scenario is the first connection made by an IP, since it will invoke a perl interpreter. For most connections, Sentry will append a timestamp to a file, stat for the presense of another file and exit.
  • Once an IP is blacklisted for abuse, whether by tcpd or a firewall, the resources it can consume are practically zero.
  • Sentry is not particularly efficient for reporting. The “one file per IP” is superbly minimal for logging and blacklisting, but nearly any database would perform better for reporting. Expect to wait a few seconds for sentry –report.

 

Required Arguments:
IP -an IPv4 address. The IP should come from a reliable source that is difficult to spoof. Tcpwrappers is an excellent source. UDP connections are a poor source as they are easily spoofed. The log files of TCP daemons can be good source if they are parsed carefully to avoid log injection attacks.
All actions except report and help require an IP address. The IP address can be manually specified by an administrator, or preferably passed in by a TCP server such as tcpd (tcpwrappers), inetd, or tcpserver (daemontools).

 

Actions:

  • Blacklist – deny all future connections
  • Whitelist – whitelist all future connections, remove the IP from the blacklists, and make it immune to future connection tests.
  • Delist – remove an IP from the white and blacklists. This is useful for testing that sentry is working as expected.
  • Connect – register a connection by an IP. The connect method will log the attempt and the time. See CONNECT.
  • Update – check the most recent version of sentry against the installed version and update if a newer version is available.

Examples:

IP Report:

Home Gateway Report:

Web Server Report:

European DNS Report:

Installation of Sentry:

Run it:

Running sentry the first time will:

  • create the sentry database
  • install the perl script
  • prompt you to edit /etc/hosts.allow, inserting two lines that enable it.

To update Sentry:

 

Download Sentry via Github Repository: Download

I started blogging around 2011 at #Ubuntupirates, #ProjectX and #pir8geek, I’m currently working as Network/Linux SysAdmin.

I’m a Linux,opensource advocate and interested in network security and InfoSec.

Leave a Reply