Well something new today. Has taken me long enough.

First of all, there is a new server, so rejoice! It’s faster, better equipped with ram and I’ve taken a long way to make it somewhat secure.

And with that we’re already at the topic. Security. Browsing though the log files of the server I’ve noticed a hell lot of stupid script kiddies attempting to brute force their way into the server.
Lines of lines of failed logins to the root account via SSH, hence the thing isn’t even enabled but how shall they know eh? Not to mention 40+ warnings from snort, starting from port scans to attempts to deploy a MS-SQL work on this linux server.

The chance that any of those things get through are low, I know, but eventually they might get a password right for a user on the system. Or I might be to slow to update to the latest patch of software XY and a buffer overflow is open for a day or two.

So simply monitoring with utilities like snort wasn’t enough for me, and while reading the logs I noticed that the attacks always were came in bundles. 3, 4, 20 attempts with different things from one IP before they gave up.

Now I figured, what the heck, that’s enough. Not only that it’s cluttering my logs but heck the 1.000.000st attempt might by chance just hit the right password for the right user, so I’ll put a few more obstacles into the way.

And I ended up with writing my own small ICE (Intrusion Countermeasure Engine), those of you liking shadowrun or cyberpunk will know the term ;).

It isn’t the most complicated part of software just adds the ability to actively take steps against attackers as in dynamically adjusting the firewall rules to prevent attacks from going too far.

It mostly is based on the capability of scanning through logs and reading the interesting information out of them and react to what other applications noticed.

Currently it supports 3 methods of detection:

• SNORT based logs
• Attempts to log in with banned user names
• Attempts to log in with non existing users

All of those are kind of heuristic and might produce false positives as if your users XY attempts to login and 3 times misspells his username – so it is set up to allow VPN connections from any address (meaning the filter happens only for non VPN connections, assuming you don’t let script-kiddies into your VPN.

Well there it goes: RedICE 0.1.0