Skip to content

Home

Jump to bottom
Jeff Johnson edited this page May 22, 2019 · 7 revisions

Overview

IPBan is a simple yet powerful solution for Windows and Linux to prevent botnets and hackers from breaching your computers. Protecting your security is the primary goal, but there are also performance improvements by getting determined botnets and hackers into the firewall. A lot of CPU and system resources are used, especially for remote desktop, for each failed login attempt.

IPBan is able to protect remote desktop (RDP), SSH (OpenSSH on Windows), SMTP, databases like MySQL or SQL Server, and other protocols like VNC out of the box. Adding additional protection for other protocols is simple. By editing the configuration file, you can protect any system that writes to the event viewer (Windows) or a log file (Windows or Linux).

On Linux, IPBan scans /var/log/auth*.log by default to detect failed SSH logins. You can easily add custom log file paths if you have other types of logs that you want to scan.

Configuration

The IPBan config file uses XML. Regular expressions are used extensively. Please read up on regex at https://www.regular-expressions.info/tutorial.html if you are unfamiliar with them. A complete overview of the configuration file follows. This file is DigitalRuby.IPBan.dll.config.

Here are the possible sections that can be defined in the configuration:

  • LogFilesToParse. This section defines log files to scan periodically. This element must contain a single root element called LogFiles. Inside of the LogFiles element you can define 0 or more LogFile elements. The LogFile element is configured as follows:
    • Source - a short identifier for the protocol or system being checked for failed logins, i.e. RDP or SSH.
    • PathAndMask - add folder and file masks to scan, one entry per line, i.e. /var/log/auth*.log.
    • Recursive - whether the log file path and mask should scan down through all sub-folders. Can be true or false.
    • FailedLoginRegex - a regular expression to scan for failed login text. This regex must have an ipaddress group, and ideally a username group. Example: failed\s+password\s+for\s+(invalid\s+user\s+)?(?<username>.+?\s+)from\s+(?<ipaddress>.+?)\s+port\s+[0-9]+\s+ssh.
    • SuccessfulLoginRegex - a regular expression to scan for successful logins. This regex also must have an ipaddress group, and ideally a username group. for IPBan Pro, this can be used to notify of successful logins, allowing you to take immediate action in the event you see something you don't recognize.
    • PlatformRegex - a regular expression to determine what platforms to run this log file on. For example, you don't want to try and scan /var/log on Windows. Valid values for this regex are 'Windows' or 'Linux'.

IPBan (c) 2012-Present Digital Ruby, LLC - https://ipban.com

Clone this wiki locally