This software (Gargoyle) was written on a Linux platform and is intended to run on Linux and no other platforms. It requires netfilter (kernel level), iptables (user space) and sqlite3.
The Gargoyle software was written to operate in high speed environments. Most of the stuff we analyzed before deciding to write Gargoyle_* worked off log file data. Gargoyle_pscand is different in that it operates off live network packet data. Gargoyle_lscand* works off log file data. They have been compiled and tested on Debian, Ubuntu, and Raspbian. If you compile and run successfully on some other platform please let us know the details.
Gargoyle_pscand is based on the notion of different severity levels where some blocks are immediate, others are based on a time cycle, and others are based on some analysis process. Then there is also a cleanup process to not leave block rules in forever and ever
gargoyle
Dependencies:
+ sqlite3 libsqlite3-dev autoconf lsb-base libnetfilter-log-dev
Support Platform:
– Debian Variant
– Fedora
There are numerous run time entities:
1. gargoyle_pscand – runs as the main daemon and expects signal 2 (SIGINT) to be brought down as there is a complex cleanup process upon the reciept of SIGINT.
2. gargoyle_pscand_monitor – runs as a daemon with an internal timed cycle. The default cycle is a run every 12 hours based off whenever the daemon was started. This prog will analyze the active rules in our iptables chain and clean out the ones who have been jailed past the point set at variable LOCKOUT_TIME. The clean up process also updates records in the DB.
3. gargoyle_pscand_analysis – runs as a daemon with an internal timed cycle. The default cycle is a run every 15 minutes based off whenever the daemon was started. This prog will analyze the data in the DB and the data in our iptables chain and add block rules (and DB entries) for targets who are using straggered techniques (slow and low scans, etc) or somehow got past the main daemon.
4. gargoyle_pscand_unblockip – this is a standalone program that accepts one argument (an ip address string) and will cleanup/remove all traces of that ip address except for the fact that we once encountered it. The thought process here is that you deliberately removing an ip address means you are treating this address as a trusted entity and want no future blocks of it.
5. gargoyle_pscand_remove_from_whitelist – this is a standalone program that accepts one argument (an ip address string) and will remove that ip address from the white list (ignored ip addresses) (DB table & shared mem).
6. gargoyle_lscand_ssh_bruteforce – runs as a daemon and monitors log file data looking for inidcators and patterns of SSH brute force attacks.
7. gargoyle_pscand_remove_from_blacklist – this is a standalone program that accepts one argument (an ip address string) and will remove that ip address from the black list (blocked ip addresses) and all related entities (DB table, shared mem, etc).
8. gargoyle_lscand_bruteforce – runs as a daemon and monitors log file data looking for inidcators and patterns based on the user provided data in the .conf files located in directory conf.d.
Usage:
Install Dependencies Debian variant: sudo apt-get install sqlite3 libsqlite3-dev autoconf lsb-base libnetfilter-log-dev Install Dependencies Fedora: sudo dnf install sqlite3 libsqlite3x-devel autoconf redhat-lsb-core libnetfilter_log-devel git clone https://github.com/BayshoreNetworks/gargoyle && cd gargoyle sudo ./build.sh sudo make install