bad command | double login | signature failed

Cccam protection

OS: Debian
CCcam version: 2.1.2+

Install fail2ban service:

Type:
apt-get install fail2ban –y
& press [Enter]

Edit /etc/fail2ban/jail.conf
Type:
vim /etc/fail2ban/jail.conf
& press [Enter]

... press [Insert], scroll to the bottom with [↓] or [Page Down] and add the following:

# port
# port that Cccam uses.
#
# logpath
# location of Cccam-debug file, like:
# /var/log/daemon.log
# or
# /var/emu/cccam/log/warnings.txt
# or...
# enable debug-mode & define debug-file name and location
# in Cccam.cfg file.
#
# bantime:
# define banning-time in seconds (1800 secs = 30 mins)

[cccam_signaturefailed]
enabled = true
port = 12000
filter = cccam-signature
logpath = /var/log/daemon.log
bantime = 1800
maxretry = 10

[cccam_badcommand]
enabled = true
port = 12000
filter = cccam-command
logpath = /var/log/daemon.log
bantime = 1800
maxretry = 10

[cccam_doublelogin]
enabled = true
port = 12000
filter = cccam-login
logpath = /var/log/daemon.log
bantime = 1800
maxretry = 10

Press [Esc] to exit write-mode & press [Shift]+[Z][Z] to save.

http://www.exyuteam.org
 Adding the three filter-files at /etc/fail2ban/filter.d/

1. Make file cccam-signature.conf

Type:
vim /etc/fail2ban/filter.d/cccam-signature.conf
& press [Enter]

... press [Insert] and add the following:

# failregex
# The host must match the failure messages in the
# Cccam debug-file.
[Definition]
failregex = CCcam: kick <HOST>, signature failed
ignoreregex =

Press [Esc] to exit write-mode; type

:wq
to save file.

2. Make file cccam-command.conf

Type:
vim /etc/fail2ban/filter.d/cccam-command.conf
& press [Enter]

... press [Insert] and add the following:

# failregex
# The host must match the failure messages in the
# Cccam debug-file.
[Definition]
failregex = CCcam: kick <HOST>.*, bad command
ignoreregex =

Press [Esc] to exit write-mode; type

:wq
to save file.

http://www.exyuteam.org
 3. Make file cccam-login.conf
Type:
vim /etc/fail2ban/filter.d/cccam-login.conf
& press [Enter]

... press [Insert] and add the following:

# failregex
# The host must match the failure messages in the
# Cccam debug-file.
[Definition]
failregex = CCcam: double login .*, .* \(<HOST>\)
ignoreregex =

Press [Esc] to exit write-mode; type

:wq
to save file.

(re)Launch the service:

Type:
/etc/init.d/fail2ban restart
& press [Enter]

Warnings and bans can now seen at:

/var/log/fail2ban.log

...for example like this:

2009-08-04 15:30:19,863 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 80.137.xxx.xxx
2009-08-04 15:32:09,002 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 92.50.xxx.xxx
2009-08-04 15:33:26,104 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 92.50.xxx.xxx
2009-08-04 15:38:51,471 fail2ban.actions: WARNING [cccam_badcommand] Unban 88.152.xxx.xxx
2009-08-04 15:42:38,764 fail2ban.actions: WARNING [cccam_badcommand] Ban 88.152.xxx.xxx
2009-08-04 16:00:20,017 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 80.137.xxx.xxx
2009-08-04 16:03:26,240 fail2ban.actions: WARNING [cccam_signaturefailed] Unban 92.50.xxx.xxx
2009-08-04 16:04:15,312 fail2ban.actions: WARNING [cccam_signaturefailed] Ban 92.50.xxx.xxx

http://www.exyuteam.org