Cheescloth is a security script that is used to monitor and block email being brute force sent to your mail server by zombie machines in control by spammers and hackers. It also will catch and block hackers trying to hack your server via SSH connections.
This project first started out as a simply script. It then grew into what it is now. I wrote it because I was tired of having my log files fill up with brute force zombie mailers sending requests for sendmail to deliver email to users who did not exists. I
was also tired of the ssh hacking attempts trying to hack user accounts. Most of these are from people's personal computers who are infected with a Trojan that are under the control of a remote spammer or hacker.
If you think about it...
- Server resources are wasted with all these request. This is also a security hazard as this method of brute force mailing can be used to compile a list of which users do exist on your server so that they can be spammed or hacked in the future.
- Cheescloth will help protect the server by adding these brute force mailers,ssh hacking attempts,RBL rejection,and FQDN rejections and add them to your iptables firewall rules dropping the packets even before they get to call sendmail 100 zillion times. This
will not allow any packets to be sent to your server from a flagged ip for the next 4 hours if you are running the default version of cheesecloth.
- Cheescloth protects from TOR NETWORK connections. When ip addresses are rotated every hour cheescloth will download a new ip list from the TOR NETWORK and add them to your firewall as well. You can easily comment out this if you would like to turn it off.
- Cheescloth is developed under the slackware linux distribution. It should run under all flavors of linux and unix. Most of utils you need to have installed come installed as default on the majority of all unix distributions.
- Cheescloth monitors what email address are being spam to so to help system admins know what user name NOT to assign. It will also allow you to narrow in what ip's should probably be banned permanently in your firewall if you are being attacked.
- Don't have your log files fill up and your system resources wasted by the same annoying spammer over and over even if they are being rejected by your favorite RBL.
If you change it to work with a different distro of linux and or a different smtp program, or firewall, please email us a copy,.
Here is a screen shot of the stats pages.