Tool used for converting jiffies from iptables xt_recent into timestamps.
Project description
# xt_recent_parser
Tool used for converting jiffies from iptables xt_recent into timestamps.
An example of xt_recent log can be like this, where only 2 syn connections in 20 seconds are allowed:
````
export IPT=iptables
export SSH_PORT=22
export HITCOUNT=3 # 2 syn connection (<3)
export SECONDS=20 # in 20 seconds are allowed
# --rcheck: Check if the source address of the packet is currently in the list.
# --update: Like --rcheck, except it will update the "last seen" timestamp if it matches.
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW -m recent --set --name sshguys --rsource
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW -m recent --rcheck --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j LOG --log-prefix "BLOCKED SSH (brute force)" --log-level 4 -m limit --limit 1/minute --limit-burst 5
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m recent --rcheck --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m recent --update --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
````
In syslog we can see blocked connections :
````
Mar 26 14:06:41 cloudone-cla kernel: [5339977.637052] BLOCKED SSH (brute force)IN=eth0 OUT= MAC=00:50:56:92:00:04:00:14:c2:61:09:be:08:00 SRC=95.142.177.153 DST=160.97.104.18 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42489 DF PROTO=TCP SPT=44636 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
````
It only needs Python3:
````
root@cloudone-cla:~/xt_recent_parser# python3 xt_recent_parser.py
XT_RECENT python parser
<giuseppe.demarco@unical.it>
Standard readable view:
190.102.72.44, last seen: 2017-03-26 13:31:55 after 1 connections
187.112.185.153, last seen: 2017-03-26 13:28:07 after 2 connections
95.142.177.153, last seen: 2017-03-26 13:27:31 after 12 connections
CSV view:
ip_src;last_seen;connections;deltas_mean;delta_seconds
190.102.72.44;2017-03-26 13:31:55.462201;1;0;
187.112.185.153;2017-03-26 13:28:07.168819;2;0.0;0
95.142.177.153;2017-03-26 13:27:31.976049;12;1.7272727272727273;1,1,1,1,1,1,2,3,3,1,4
````
In CSV format there will be available time delta mean and time deltas in seconds for every attempt.
Pelase remember to edit the xt_recent file path to make it works as desidered:
````
# at the begin of xt_recent_parser.py
_fpath = '/proc/net/xt_recent/sshguys'
# or in object creation:
xt = XtRecentTable(fpath="/proc/net/xt_recent/sshguys")
````
Tool used for converting jiffies from iptables xt_recent into timestamps.
An example of xt_recent log can be like this, where only 2 syn connections in 20 seconds are allowed:
````
export IPT=iptables
export SSH_PORT=22
export HITCOUNT=3 # 2 syn connection (<3)
export SECONDS=20 # in 20 seconds are allowed
# --rcheck: Check if the source address of the packet is currently in the list.
# --update: Like --rcheck, except it will update the "last seen" timestamp if it matches.
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW -m recent --set --name sshguys --rsource
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW -m recent --rcheck --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j LOG --log-prefix "BLOCKED SSH (brute force)" --log-level 4 -m limit --limit 1/minute --limit-burst 5
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m recent --rcheck --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m recent --update --seconds $SECONDS --hitcount $HITCOUNT --rttl --name sshguys --rsource -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp -m tcp --dport $SSH_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
````
In syslog we can see blocked connections :
````
Mar 26 14:06:41 cloudone-cla kernel: [5339977.637052] BLOCKED SSH (brute force)IN=eth0 OUT= MAC=00:50:56:92:00:04:00:14:c2:61:09:be:08:00 SRC=95.142.177.153 DST=160.97.104.18 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=42489 DF PROTO=TCP SPT=44636 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
````
It only needs Python3:
````
root@cloudone-cla:~/xt_recent_parser# python3 xt_recent_parser.py
XT_RECENT python parser
<giuseppe.demarco@unical.it>
Standard readable view:
190.102.72.44, last seen: 2017-03-26 13:31:55 after 1 connections
187.112.185.153, last seen: 2017-03-26 13:28:07 after 2 connections
95.142.177.153, last seen: 2017-03-26 13:27:31 after 12 connections
CSV view:
ip_src;last_seen;connections;deltas_mean;delta_seconds
190.102.72.44;2017-03-26 13:31:55.462201;1;0;
187.112.185.153;2017-03-26 13:28:07.168819;2;0.0;0
95.142.177.153;2017-03-26 13:27:31.976049;12;1.7272727272727273;1,1,1,1,1,1,2,3,3,1,4
````
In CSV format there will be available time delta mean and time deltas in seconds for every attempt.
Pelase remember to edit the xt_recent file path to make it works as desidered:
````
# at the begin of xt_recent_parser.py
_fpath = '/proc/net/xt_recent/sshguys'
# or in object creation:
xt = XtRecentTable(fpath="/proc/net/xt_recent/sshguys")
````
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file iptables_xt_recent_parser-0.3.tar.gz.
File metadata
- Download URL: iptables_xt_recent_parser-0.3.tar.gz
- Upload date:
- Size: 5.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.12.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/33.1.1 requests-toolbelt/0.9.1 tqdm/4.31.0 CPython/3.4.3+
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 567659553dcf7a1699fb85140cddf00e42eee704e9e5cfbaecaeecc63d83d416 |
|
| MD5 | 7c9bdac52327afcea7b5c743bd76a145 |
|
| BLAKE2b-256 | f76ffbe8d54c80df7ccfa4a4a918c6e60dcd0ae8c9145eecf5ef231af80c7e0f |
File details
Details for the file iptables_xt_recent_parser-0.3-py3-none-any.whl.
File metadata
- Download URL: iptables_xt_recent_parser-0.3-py3-none-any.whl
- Upload date:
- Size: 30.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.12.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/33.1.1 requests-toolbelt/0.9.1 tqdm/4.31.0 CPython/3.4.3+
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6c2359e28c8d47a5318aca313114cb63405c043da2c1e9cf33cc755c0892a176 |
|
| MD5 | 46f959c871006aa7cfd2fe5a97db4b95 |
|
| BLAKE2b-256 | 1ef98e0e94990dd3375d7c04492ff4d5aff49907c0eb83f9bdf02f7b5fe153a0 |
