The WWM (Well, Wait a Minute!) program creates iptables rule address lists from syslog messages. The iptables rules must be created by the user! iptables.conf.var #defined lists and recent modul list are supported.
The program identifies relevant syslog messages by regexp patterns. For each defined protocol one prefix pattern, a whitelist address list and several suffixes can be set.
Every single suffix can have their own event type. Event rules are mainly allowing or blocking ones. Allowing rules provides forgiveness for some time while blocking rules puts the source IP to the list. Every rule defines the amount of occurance nedded for putting the source IP to the list and the amount of time it remains on it. eg:
- 3 unsuccessful ssh login attempt puts the source IP to deny list for a day
- 1 successful ssh login puts the source IP to white list for a week
- 3 ssh login attempt with invalid user name puts the source IP to deny list for a day
The main program is runned by a watcdog tool for greater security. If the main program is stops for some reason, the watcher tool restarts it and sends an email notification about the event. If this happens more than three times for a short period of time, the main program will not be restarted automatically.