ALMAMS is the Automated Log Monitoring and Attack Mitigation System. It can monitor logs for possible attacks and mitigate those attacks with a firewall. ALMAMS is a Perl program. The main program is in the bin/almams file. It uses modules in the lib/almams directory to do its work. One generic module is included with ALMAMS in the lib/almams/generic.pl file. That generic module will probably do all that you would want ALMAMS to do. If not you can use it as a basis for your own module(s). See the INSTALL and CONFIGURATION documents for more information. ALMAMS requires a Perl interpreter. It also requires the Config::General Perl module to be able to read its configuration file. It also requires the BASH shell for its scripts. See the INSTALL document for more information. Note that if you are using an old Perl (before 5.6.0?) you will probably need to use and older version of the Config::General module. Config-General-2.27 seems to work with older versions of Perl. You should be able to download it here: http://backpan.perl.org/authors/id/T/TL/TLINDEN/Config-General-2.27.tar.gz ALMAMS is very flexible. You can configure it to just monitor the logs in which case it will just log what it would do to a text file. You could configure it to send an e-mail when an attack is detected (via a command). You could configure it to actually block the attack via a software firewall command. You could set up a command that will communicate what needs to be blocked to an external firewall. You could make up some combination of these things as well. ALMAMS monitors system logs via FIFOs/named pipes. Modern syslog daemons such as rsyslogd can log to a named pipe. See the documentation of your syslog daemon to see if it supports FIFOs/named pipes. There may be cases where your syslog daemon doesn't support FIFOs or you want to monitor logs from a daemon that doesn't use syslog for its logs (and also doesn't support logging to a FIFO). An add-on program is included with ALMAMS to help in these situations. See the filetofifo program in the share/almams/filetofifo directory and its accompanying documentation. ALMAMS reads log records from the FIFO(s) and searches for text strings in each log entry. If a match is detected it dissects the log entry to get the IP address of the machine that triggered the log entry. It then adds the IP address and time to an internal data structure. If enough log entries are generated within a certain period of time for an IP address it will be considered an attack from that IP address, it will be logged to the ALMAMS log, and if configured to do so a command will be run to take appropriate action. This is all configurable in the ALMAMS configuration. In the ALMAMS configuration file you can specify what FIFO(s) will be monitored for log entries, what string(s) should be searched for in those log entries, how to dissect the log entry to get the IP address, how many matches within what time frame indicate an IP address is attacking your system, what command should be run (if any) when an attack is detected, and several other things which control the operation of ALMAMS. See the CONFIGURATION document for more information. ALMAMS is relatively easy to install for an experienced system administrator. See the INSTALL document for more information. ALMAMS was designed for my use but is being released to the public in the hope that it may be useful to someone else. It was written using Perl 5.10.1 but should be compatible with any perl5. It may be compatible with perl6. When/if perl6 is ever released in a stable form, ALMAMS will be tested against it and updated if necessary. ALMAMS was designed for UNIX/Linux systems. It might be able to work with Windows (with some modification). From my reading, FIFOs/named pipes are significantly different on Windows and would probably require using the Win32::Pipe Perl module. Maybe using that with a modified filetofifo add-on would work (I doubt anything in Windows could log directly to a Windows FIFO)? Test this program well before relying on it at any level. There are absolutely no guarantees or anything with this program. If you find a bug, see the AUTHORS document for contact details. The ALMAMS website is http://www.johnmerriam.net/almams where you can find the latest version and any important information about ALMAMS.