As some of you may know, a long time ago I had a need to block persistant password attackers from various servers I managed (Working for a relatively large domain hosting company at the time), and because iptables didn't exist, ipchains wasn't everywhere I wondered what to do. I was learning Perl primarily through automating jobs at my job, and so I decided to write a little script that would 'watch' certain logfiles for attempts at gaining entry via repeated password or dictionary attacks. If the attack tried several attempts within a certain time-period, and from the same source IP, then flag it up, alert and then block using one of a few techniques. Not fool-proof, not perfect but it did the job.
Perl had a handy module called File::Tail that does exactly the same (sort of) as doing a tail -f /var/log/blah in the linux shell, so just run that in a script, watch for certain patterns and act accordingly. At the time the blocking action was either add an ipchains block rule, or add a route entry pushing the offender to the loopback interface. OK so this wasn't going to stop them DOS'ing us, etc, but it kinda did the job, and at the time internet connections weren't huge, if I remember rightly we had a 4Mb line or something like that, that was for a large domain hosting company, none of this 50Mb to the home, fibre or gigabit connections! So it did the job nicely.
Well, I started to install it on more and more servers that I looked after, or helped to look after, people asked about the script and slowly I started to pass it around, just by email at first. So I then decided to package it up and distribute it. My first bit of 'freeware'/GPL software was born! The software existed quite some time before it, but the official publication date was 5/5/2005 as that was when the package was created, however the release date that you'll see most other places was 27/7/2005 as that was the date that I released it on sourceforge.net
The original code is still up there, but don't look! It's horrible perl code, badly written, but it does the job!
Just looking on sourceforge.net at the site http://breakinguard.sourceforge.net/ you'll also see very poor HTML design (something I can still never shake off, my design eye is terrible!) The release up there now is dated 08/01/2008 version 0.11 and hasn't changed a great deal since the original to be honest, a few filters and a few nicer tweaks and thats about it! I belive it is still used in some places, but to be honest its had its day.
Now, a lot of people would use simple iptables, as you can do the same natively such as:
</p> <p>iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set</p> <p>iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP</p> <p>
Which does the same thing really, so I think my software is dead or dying! If you do still use it, do pop a comment on or a mention as I'd appreciate it. Unfortunately I doubt I'll be doing any further updates to it, but will keep it live just for historic reasons rather than anything else!