Tool used for converting jiffies from iptables xt_recent into timestamps.
Project description
# xt_recent_parser
Tool used for converting jiffies from iptables xt_recent into timestamps.
An example of xt_recent log can be like this, where only 2 syn connections in 20 seconds are allowed:
````
export IPT=iptables
export SSH_PORT=22
export HITCOUNT=3 # 2 syn connection (<3)
export SECONDS=20 # in 20 seconds are allowed
# --rcheck: Check if the source address of the packet is currently in the list.
# --update: Like --rcheck, except it will update the "last seen" timestamp if it matches.
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW -m recent --set --name sshguys --rsource
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW -m recent --rcheck --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j LOG --log-prefix "BLOCKED SSH (brute force)" --log-level 4 -m limit --limit 1/minute --limit-burst 5
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m recent --rcheck --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m recent --update --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
````
In syslog we can see blocked connections :
````
Mar 26 14:06:41 cloudone-cla kernel: [5339977.637052] BLOCKED SSH (brute force)IN=eth0 OUT= MAC=00:50:56:92:00:04:00:14:c2:61:09:be:08:00 SRC=95.142.177.153 DST=160.97.104.18 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42489 DF PROTO=TCP SPT=44636 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
````
It only needs Python3:
````
root@cloudone-cla:~/xt_recent_parser# python3 xt_recent_parser.py
XT_RECENT python parser
<giuseppe.demarco@unical.it>
Standard readable view:
190.102.72.44, last seen: 2017-03-26 13:31:55 after 1 connections
187.112.185.153, last seen: 2017-03-26 13:28:07 after 2 connections
95.142.177.153, last seen: 2017-03-26 13:27:31 after 12 connections
CSV view:
ip_src;last_seen;connections;deltas_mean;delta_seconds
190.102.72.44;2017-03-26 13:31:55.462201;1;0;
187.112.185.153;2017-03-26 13:28:07.168819;2;0.0;0
95.142.177.153;2017-03-26 13:27:31.976049;12;1.7272727272727273;1,1,1,1,1,1,2,3,3,1,4
````
In CSV format there will be available time delta mean and time deltas in seconds for every attempt.
Pelase remember to edit the xt_recent file path to make it works as desidered:
````
# at the begin of xt_recent_parser.py
_fpath = '/proc/net/xt_recent/sshguys'
# or in object creation:
xt = XtRecentTable(fpath="/proc/net/xt_recent/sshguys")
````
Tool used for converting jiffies from iptables xt_recent into timestamps.
An example of xt_recent log can be like this, where only 2 syn connections in 20 seconds are allowed:
````
export IPT=iptables
export SSH_PORT=22
export HITCOUNT=3 # 2 syn connection (<3)
export SECONDS=20 # in 20 seconds are allowed
# --rcheck: Check if the source address of the packet is currently in the list.
# --update: Like --rcheck, except it will update the "last seen" timestamp if it matches.
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW -m recent --set --name sshguys --rsource
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW -m recent --rcheck --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j LOG --log-prefix "BLOCKED SSH (brute force)" --log-level 4 -m limit --limit 1/minute --limit-burst 5
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m recent --rcheck --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m recent --update --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
````
In syslog we can see blocked connections :
````
Mar 26 14:06:41 cloudone-cla kernel: [5339977.637052] BLOCKED SSH (brute force)IN=eth0 OUT= MAC=00:50:56:92:00:04:00:14:c2:61:09:be:08:00 SRC=95.142.177.153 DST=160.97.104.18 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42489 DF PROTO=TCP SPT=44636 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
````
It only needs Python3:
````
root@cloudone-cla:~/xt_recent_parser# python3 xt_recent_parser.py
XT_RECENT python parser
<giuseppe.demarco@unical.it>
Standard readable view:
190.102.72.44, last seen: 2017-03-26 13:31:55 after 1 connections
187.112.185.153, last seen: 2017-03-26 13:28:07 after 2 connections
95.142.177.153, last seen: 2017-03-26 13:27:31 after 12 connections
CSV view:
ip_src;last_seen;connections;deltas_mean;delta_seconds
190.102.72.44;2017-03-26 13:31:55.462201;1;0;
187.112.185.153;2017-03-26 13:28:07.168819;2;0.0;0
95.142.177.153;2017-03-26 13:27:31.976049;12;1.7272727272727273;1,1,1,1,1,1,2,3,3,1,4
````
In CSV format there will be available time delta mean and time deltas in seconds for every attempt.
Pelase remember to edit the xt_recent file path to make it works as desidered:
````
# at the begin of xt_recent_parser.py
_fpath = '/proc/net/xt_recent/sshguys'
# or in object creation:
xt = XtRecentTable(fpath="/proc/net/xt_recent/sshguys")
````
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for iptables_xt_recent_parser-0.3.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 567659553dcf7a1699fb85140cddf00e42eee704e9e5cfbaecaeecc63d83d416 |
|
MD5 | 7c9bdac52327afcea7b5c743bd76a145 |
|
BLAKE2b-256 | f76ffbe8d54c80df7ccfa4a4a918c6e60dcd0ae8c9145eecf5ef231af80c7e0f |
Close
Hashes for iptables_xt_recent_parser-0.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6c2359e28c8d47a5318aca313114cb63405c043da2c1e9cf33cc755c0892a176 |
|
MD5 | 46f959c871006aa7cfd2fe5a97db4b95 |
|
BLAKE2b-256 | 1ef98e0e94990dd3375d7c04492ff4d5aff49907c0eb83f9bdf02f7b5fe153a0 |