PyFilter for security peace of mind developing

PyFilter

Introduction

Any server/service with an internet connection is susceptible to a brute force attack, the implications of this attack for your service varies greatly by the measures you have taken to secure the application. An example of said attacks is an SSH brute force - an SSH brute force attack is a range of illegitimate requests which are made with combinations of usernames and passwords to attempt to forge an actual connection attempt. Needless to say, this is bad, and this is where PyFilter can help. PyFilter works by scanning user defined log files for too many unsuccessful attempts within a timeframe and blacklisting that specific IP address denying further connection attempts.

How it works

A PyFilter rule applies to any service you wish to monitor, for example SSH, Apache, etc. Each rule has one or more defined patterns, which, if matched, increment the counter for connection attempts by one. Once the connection attempts have reached the defined maximum, the IP is blacklisted via IPTABLES. However, the connection attempts have to be made within a certain time period of the last failed attempt otherwise the value is not incremented, so you're safe if you forget your password. PyFilter can be configured to have any rule so as long as it has a working regex pattern and a working time format.

Once an IP has been added to the firewall, it is also saved in either SQLite or Redis. SQLite works best if you only aim to incorporate PyFilter to one server, however the use of Redis provides the ability to have "Cross server ban syncing". Cross server ban syncing works using Redis, and Redis Pub/Sub functionality. When a ban has been added, the PyFilter instance running on that particular server publishes the IP to Redis allowing all other PyFilter instances which have subscribed to the ban event to act upon that and to ban the IP on that server. This is useful for banning illegitimate IP addresses before they move onto more of your IP-range.

PyFilter-Admin

PyFilter-Admin is a web interface for PyFilter. It provides useful statistics, such as total bans, the amount of bans within the last 10 days, and the latest ban. It also provides a table of the latest 10 bans with the option for more info on each of those bans, e.g why they were banned, at which time, and which server they were banned on (if using Redis). It also provides the ability to manually ban IPs, however for this to work, PyFilter has to be setup with Redis.

Thanks for reading!

Hopefully this post has given you an insight onto how PyFilter operates. PyFilter is very easy to use and any extra rules you wish to be added by default are welcome with a pull request here on GitHub, or by opening an issue Here. I would be highly grateful if you placed a star on the repo as it helps the popularity of PyFilter increase!