Phailomatic Intrusion Prevention System/Denial of Service Mitigation phailomatic(1) NAME phailomatic - PHP-based Intrusion Prevention System/Denial of Service Mitigation Service. SYNOPSIS phailomatic [--help] [--cleanup] DESCRIPTION phailomatic is a program that provides an intrusion prevention and denial of service mitigation service written in PHP. It can self- daemonize if the PHP used to run it has been compiled with POSIX and PCNTL. In the absence of PCNTL and POSIX, some other method of dae- monization may be employed. Signals can be simulated by touching files in /var/run (see below). phailomatic scans log files looking for failed authentication mes- sages. These failures are noted by phailomatic and when they cross a defined threshold, phailomatic issues firewall commands blocking the IP addresses involved from specific ports associated with those failed authentication messages. After a configurable period of time, these blocks are automatically expired. phailomatic is extensible in several ways. The commands that manipu- late the firewall are configurable. PHP code containing the function phailtrigger($ip,$ports) can be included, and will be passed the IP address and ports that were blocked. Additionally, phailomatic can execute a configurable command that will be passed the IP address as the first argument, and a string of comma-delimited ports that were blocked. OPTIONS --help This option prints extremely terse help and refers you to this manpage for more information. --cleanup This option cleans up (reverses) all changes phailomatic made to your firewall and in so doing, clears all the IP/port bans. CONFIGURATION phailomatic is expected to be configured via a configuration file. This file will be searched for first in the current directory, then in /etc, and finally in /etc/phailomatic . If Optware or Entware is detected, /opt/etc and /opt/etc/phailomatic are searched before /etc and /etc/phailomatic . Lines whose first non-whitespace character is a # character are com- ment lines. In-line comments are supported. Everything including and following a # character is considered a comment. daemonize=[TRUE|FALSE] Whether or not to self-daemonize. debug=[TRUE|FALSE] Usually just appends memory usage data to log lines. checkdelay=seconds Number of seconds to wait between logfile checking cycles. Default is 2 seconds. silentmax=seconds Number of seconds to wait until issuing a warning to syslog about logfiles that have gone missing. Default is 60 seconds. pregex=regex Regex appended to all syslog regexes. This regex should match the date and time and hostname portion of log lines. This regex MUST start with the beginning of the line, as the start of line requirement will be prepended to this regex. (do not include leading '^' yourself) firewall[1]=command $1 $2 firewall[2]=command $1 $2 firewall[...]=command $1 $2 Commands to configure firewall to receive bans. These will be executed in numeric order. When executed, $1 will be replaced by the port number, and $2 will be replaced by the client's IP address. teardown[1]=command $1 $2 teardown[2]=command $1 $2 teardown[...]=command $1 $2 Commands to revert firewall configuration commands. These will be executed in numeric order. When executed, $1 will be replaced by the port number, and $2 will be replaced by the client's IP address. ban=command $1 $2 Command to ban an IP from a port via the firewall. When exe- cuted, $1 will be replaced by the port number, and $2 will be replaced by the client's IP address. unban=command $1 $2 Command to unban an IP from a port via the firewall. When exe- cuted, $1 will be replaced by the port number, and $2 will be replaced by the client's IP address. file1[path]=/path/to/syslog file1[syslogformat]=[TRUE|FALSE] file1[regex][1][pattern]=regex file1[regex][1][ports]=comma separated port numbers (ie: 25,587) file1[regex][1][hitperiod]=seconds file1[regex][1][timeout]=seconds file1[regex][1][bantrigger]=number Instructions for processing logfiles. These are specified as file1 through file5. [path] should specify the file being mon- itored. [syslogformat], which is optional and defaults to TRUE, specifies whether or not to prepend the 'pregex' regex to regexes specified for this file. Regex information is contained in [regex] sections. [regex] section [pattern] is the regex pattern that should be matched. Patterns MUST name the matched IP address 'ip'. ex: (?P[0-9.]+) ALL patterns must specify the entire line as a line ending requirement is added to all patterns. (do not in- clude trailing '$' yourself) [ports] is a comma separated list of ports to block on regex matches. [regex] section [hitperiod] is the number of seconds between authentication failures considered to be part of the same at- tack. [regex] section [bantrigger] is the number of authentication failures within the hitperiod that triggers a firewall ban. Finally, [regex] section [timeout] is the number of seconds that should pass before unblocking. stdout=/path/to/file You may wish to capture stdout to a file. You can do so by setting this value. stderr=/path/to/file You may wish to capture stderr to a file. You can do so by setting this value. SIGNALS phailomatic handles the following signals: SIGHUP Reloads configuration data. Some values cannot be changed without restarting phailomatic. SIGUSR1 Flushes IP/port bans and state of monitored IPs. SIGTERM Flushes IP/port bans, reverts firewall changes, and exits. Signals can be simulated on systems that do not support PCNTL by touching files in /var/run . To simulate a SIGTERM, simply touch: /var/run/phailomatic-sigterm EXAMPLES The following is a sample configuration file, showing a setup that monitors one file with two regexes, the first matches dropbear ssh authentication failures, the second monitors Postfix SASL authentica- tion failures: # Sample Phailomatic configuration file file1[path]=/var/log/messages file1[syslogformat]=TRUE file1[regex][1][pattern]=dropbear\[[0-9]+\]: (?:bad password|login) attempt for .* from ::ffff:(?P[0-9.]+):[0-9]+ file1[regex][1][ports]=22 file1[regex][1][hitperiod]=90 file1[regex][1][timeout]=600 file1[regex][1][bantrigger]=5 file1[regex][2][pattern]=postfix/smtpd\[[0-9]+\]: .*\[(?P[0-9.]+)\]: SASL (?:[A-Z]+) authentication failed: authentication failure file1[regex][2][ports]=25,587,2525 FILES The configuration file will be searched for in the following order: ./phailomatic.conf /opt/etc/phailomatic.conf (Optware/Entware only) /opt/etc/phailomatic/phailomatic.conf (Optware/Entware only) /etc/phailomatic.conf /opt/etc/phailomatic/phailomatic.conf February 6, 2014 phailomatic(1)