The ISPProtect Team has created a ban daemon, that can protect your server against brute force or DoS attacks.
Customers with a valid ISPProtect 12-month-licence can use the ISPProtect BanDaemon with that license key. Customers without a license can use it for 30 days free trial with all features.
The ISPProtect BanDaemon is available as a separate license now as well. If you like to use the BanDaemon but not ISPProtect Scan, then you can get a BanDaemon license for 29 € / year now.
ISPProtect BanDaemon License
The yearly BanDaemon license costs 29 € / year. The license is valid for one server.
How the ban daemon works
The ISPProtect BanDaemon watches your server log files, e. g. apache/nginx, pure-ftp, and recognizes hacking attempts. It uses iptables (and ip6tables) to block the attacking ip addresses or subnets.
What services are supported?
Currently the ban daemon is best suited to protect servers that have ISPConfig 3 installed. It monitors log files of pure-ftpd, ssh, postfix, dovecot, apache/nginx, ISPConfig login and bind.
In addition it supports some web software, e. g. wordpress (xmlrpc attack, pingback attack or brute force login), owncloud, joomla, …
The daemon can be easily extended to watch further log files and react on specific log entries to ban ips.
Is IPv6 supported?
Yes. The ISPProtect BanDaemon can block ipv6 addresses. Because most servers get assigned a complete /64 ipv6 subnet, the bandaemon is capable of blocking subnets, if it recognizes attacks from multiple ip addresses of this subnet.
Features
ISPProtect BanDaemon offers lot of features:
- Watch log files and react on entries
- Ban ipv4 and ipv6 including subnets using iptables / ip6tables
- Analyze PHP GET and POST requests (see chapter below)
- Centralized database for multiple servers possible
- Custom config files to override defaults or to create new watches
- GeoIP information (if geoip-database and geoip-bin installed)
- Daily report via email if configured
- The BanDaemon currently supports Debian, Ubuntu and CentOS as Operating system.
- … and more
Prerequisites
You need PHP 5.3 to 7.4 on the server. ISPConfig 3 is not neccessary but the ban daemon currently works best with this.
Installation
Switch to a temporary directory and download the ISPProtect BanDaemon.
cd /tmp/
rm -f ispp_bandaemon.tar.gz
wget -O ispp_bandaemon.tar.gz "https://www.ispprotect.com/download/ispp_bandaemon.tar.gz"
Extract the package, change to the installer directory and run the install bash script.
tar xzf ispp_bandaemon.tar.gz
cd bandaemon_install/
bash install.sh
If you want to use the ban daemon on a single server, you can use the automated config file generation. The installer will create a default config for you. If you want to use a centralized database, please answer "no" when the installer asks if it shall create a database, otherwise answer "yes".
Once installed, please review the config file in /opt/ispprotect_bandaemon/config.inc.php.
If you have a valid ISPProtect 12-month-license, you have to copy your license.key file to /opt/ispprotect_bandaemon/. Otherwise the daemon will run in TRIAL mode.
If everything is set-up according to your needs, you can start the daemon by typing
service ispprotect_bandaemon start
or
/etc/init.d/ispprotect_bandaemon start
on older systems.
The ban daemon creates a log file /var/log/ispprotect_bandaemon.log. You can see what the daemon does in there.
Configuration
Besides the config.inc.php file you can create custom config files if you want the daemon to watch a specific log file. We provided a sample config inside the conf.d directory.
Multi server setup
The ban daemon can be used with a centralized mysql database. Just create a database on the server you want to be the "master" and grant all privileges on that database to a user that can access the server from the outside. Enter these credentials in the config.inc.php on each server. All bans and unbans will propagate to all servers that are connected to the same database.
Ban daemon tools
There are some commands you can run from the command line.
Ban reports
/opt/ispprotect_bandaemon/ispp_bandaemon --report
This command sends a report to the email address defined in config.inc.php (BANDAEMON_DAILY_REPORT setting). The script takes additional optional arguments:
--email=
Send report to this email.
--screen
Dont email report, just display it on screen.
--today
Dont send/show report for previous day, but use today's data.
--sender=
Sent report email sender to this email address.
Show bans
If you want to see, what bans are currently active you can type
/opt/ispprotect_bandaemon/ispp_bandaemon --showbans
Ban or unban manually
Sometimes you need to unban or ban an ip addres or subnet by hand. For this, the bandaemon offers the commands
/opt/ispprotect_bandaemon/ispp_bandaemon --ban=<ip address> --bantime=<num>[MHD]and
/opt/ispprotect_bandaemon/ispp_bandaemon --unban=<ip address>
The --ban and --unban arguments can be used with ipv4 addresses or ipv6 addresses.
The --bantime can be given as minutes (M), hours (H) or days (D), e.g. --bantime=5H to ban an ip for five hours.
On a multi server system the bans and unbans are propagated to all other servers that use the same database.
Analyze GET and POST via PHP
The ISPProtect BanDaemon includes a script called ispp_bd_postlog.php that is stored in /usr/share/php5.
If you want your GET and POST being watched in all PHP applications of a web, you can add the setting
auto_prepend_file = /usr/share/php5/ispp_bd_postlog.php
to your site's php.ini
You can add it to your global php.ini, but make sure to include /usr/share/php5 in open_basedir, otherwise you will get permission errors and the PHP website will stop working.
The postlog script checks GET and POST values for common intrusion strings and writes those entries to the site's error log file. With these entries you can make the ban daemon ban ips by activating the sample config in the conf.d directory, i. e. rename 101-postlog.conf.sample to 101-postlog.conf.