Better Living Through Thinking
rascals - stop brute force network attacks
Tue, 02 Jan 2007
*updated: Tue Jan 2 10:35:51 MST 2007*
Beginning with version 1.10, rascals correctly handles this situation. Simply follow the installation instructions below.
If you do not wish to upgrade rascals, you may alternatively rotate your auth.log file and remove /var/log/rascals.
rascals reads auth.log looking for ssh dictionary attackers ("rascals") and adds the offending host to a blacklist. This list may be used by the "tcp wrappers" subsystem (via /etc/hosts.allow) to block or tarpit attacking hosts.
rascals automatically removes older entries in the rascals blacklist each time it runs, based on the expiration date when the entries were added.
rascals can be used to scan for any type of service attack: ssh, pop3, ftp, etc.
rascals is designed to run with no maintenance: install and forget.
rascals may be run from the command-line as root, or from a root crontab (see 'perldoc rascals' for details).
Nearly all of the default behavior of rascals can be changed (see the OPTIONS section of 'perldoc rascals').
To make use of the rascals blacklist using tcp wrappers, add the following line to the top of your /etc/hosts.allow file:
sshd : /var/log/rascals : deny
See the EXAMPLES section in 'perldoc rascals' for some other interesting /etc/hosts.allow options.
rascals manpage:
Current version: 1.10 (rev 1.12 2007/01/01 17:28:48)
Installation:
To install, save the above link to your server, and 'chmod 0755 rascals'. If you're upgrading to a new version, remove the old rascals log file with 'rm /var/log/rascals'.
Please also read the INSTALLATION section of the rascals man page.
Changelog:
Audio Broadcast
(standby)Moon Status
Phase: 14.10%Illuminated: 18.38%
Age (days): 4.16
Sat Mar 20 00:39:18 MDT 2010
![[Valid RSS]](/blog/images/valid-rss.png "Validate my RSS feed"){kind=small}