I’ve released a beta of Watcher v0.1. This script monitors a specified message log for connection activities, and if these activities exceed a configurable threshold, Watcher will add the source IP address(es) to iptables. This is great for SSH probes, DNS reflector DDoS, and more! Rule set matches are fully configurable and include an option to write custom regular expressions to assist in matching log entries the pattern language cannot. The default rule sets should work just fine, however.

Currently, Watcher only works with a fairly modern Linux distro. FreeBSD ipfw and OpenBSD pf support is forthcoming. There are some other requirements. Keep reading to find out what these requirements are, how to obtain this script, install it, and use it!

Requirements

Watcher has a few requirements–there aren’t man, but if you don’t have them, you won’t be able to use it (don’t worry, they’re really easy):

• Python
• setuptools: most distributions have a setuptools package
• libxml2: Python usually comes with this pre-built. If you don’t have it, you might need to obtain a Python distribution that does or build it from scratch. FreeBSD may not include this by default, so you’ll need to install the /usr/ports/devel/py-lxml libxml2 bindings. For Gentoo, XML support should be built if you include the xml USE flag while building Python (the default).
• A reasonably sensible logging facility that generates log files in /var/log/messages. Don’t use metalog; it doesn’t flush log entries to quickly enough to intercept SSH probes as they occur. You’re better off using syslog-ng or equivalent.

Installation: setuptools

For the time being, I haven’t built Watcher with ez_setup, which allows users without setuptools to install packages made with this utility. So, there are a few different things you can do:

• Search your distribution for a setuptools package to install
• If using Gentoo, simply run: emerge setuptools
• If using FreeBSD (or similar) run: portinstall setuptools (if using portupgrade) or cd /usr/ports/devel/py-setuptools && make && make install clean (if using bare ports)

Installation: Watcher

If you have access to setuptools, installing watcher is a breeze. I haven’t submitted it to PyPI yet (it’s not that interesting a project), so you’ll need to do a few things manually. First, obtain the Python egg:

wget http://www.zancarius.com/download/watcher/Watcher-0.1-py2.5.egg
(Or obtain it manually from this URL.)

Next, run this as root:
easy_install -z Watcher-0.1-py2.5.egg

This should place the Watcher egg in the location /usr/lib/$python_version/site-packages/Watcher-0.1-py2.5.egg and it should also create a launch script under /usr/bin/watcher (most Linux distros) or /usr/local/bin/watcher (most BSD distros).

Running and Configuring

When you run Watcher for the first time, it’ll use an internal configuration file. This file make some basic assumptions about where Watcher is located, what log it should monitor, and where it should store its own log. You’ll probably want to change some of these, to do this, simply run watcher (as root): watcher -i

The -i option tells Watcher to install its configuration and run. The configuration file Watcher installs should be placed under /etc/watcher/watcher.xml; if you want to edit this file, simply kill watcher (ctrl+c), edit the configuration, and then launch Watcher again to ensure it’s reading the configuration file correctly.

Once Watcher has been configured and you’d like to run it in daemon mode so you haven’t any need to leave a terminal running, simply launch Watcher with: watcher -D or watcher --daemonize

There’s currently no --help or -h options. I’ll be adding these at a later date once I add a few more features and fix some small bugs.