sentry, an alternative to fail2ban and other bruteforce blocking daemons

25 Mar 2015

I’ve just migrated my servers from using fail2ban to sentry, and it feels quite efficient =), so I’m doing this post as a way to increase sentry awareness.

Sentry is a program who detects and prevents bruteforce attacks against sshd and other network services using minimal system resources. Instead of running a daemon who constantly reads log files it runs a perl script who uses tcpwrappers for tracking connections and blocking access by ip, tcpwrappers is already installed in most modern UNICES systems (Linux, Mac OSX and FreeBSD). So if you additionally have perl installed it adds 0 dependencies.

Installation

Ubuntu | Minos

$ sudo add-apt-repository ppa:minos-archive/main
$ sudo apt-get update && sudo apt-get install sentry

Others

$ wget http://www.tnpi.net/internet/sentry.pl
$ sudo perl sentry.pl
$ echo "sshd : /var/db/sentry/hosts.deny : deny" > hosts
$ echo "sshd : ALL : spawn /var/db/sentry/sentry.pl -c --ip=%a : allowsendmail: all" >> hosts
$ cat hosts /etc/hosts.allow > hosts.allow
$ sudo mv hosts.allow /etc/ && rm hosts

Usage

Upon installation it doesn’t require anything else, it’ll just works, to see some statistics run:

$ sudo /var/db/sentry/sentry.pl -r
no IP, skip info
   -------- summary ---------
  42 unique IPs have connected 190 times
   1 IPs are whitelisted
  38 IPs are blacklisted

To see blocked IPs

$ sudo head -3 /var/db/sentry/hosts.deny
ALL: 103.41.124.119 : deny
ALL: 103.41.124.136 : deny
ALL: 115.230.124.208 : deny

The list can be edited either manually or through the –whitelist, –blacklist and –delist sentry.pl options

$ sudo /var/db/sentry/sentry.pl --ip=103.41.124.119 --delist
$ sudo /var/db/sentry/sentry.pl --ip=103.41.124.119 --whitelist
$ sudo /var/db/sentry/sentry.pl --ip=103.41.124.119 --delist
$ sudo /var/db/sentry/sentry.pl --ip=103.41.124.119 --blacklist

That’s it, happy blocking 😋