Digital Mages



autofwd is primarily an automated firewalling daemon intended to firewall off hosts performing unwanted acts. It has the following feature list:

While this daemon is written with the intent of firewalling off hosts running dictionary attacks on logins, it can be used for just about anything. The external commands to run are all configurable allowing you to take additional actions against offending hosts. Run a nmap OS fingerprint before firewalling, or just silently log the event. Anything you can script up can be used with this daemon, as long as it can take an argument consisting of an IP address.

This functionality makes this daemon portable and useful across all types of UNIX and Linux. There is no platform-specific code in this software.



Sample output dumping the contents of the database:

root@foo-1:~# autofwd -D
IP Address          First Seen           Last Seen              # Att
-----------------------------------------------------------------------------         Fri Aug 12 10:39:02  Fri Aug 12 11:16:54       14     N      Fri Aug 12 16:02:40  Fri Aug 12 16:03:30       20     Y
                    Fri Aug 12 20:07:00  Fri Aug 12 20:07:06        2     N

Sample e-mail report:

Date: Mon, 25 Apr 2011 08:49:56 -0800
Subject: ** SECURITY ALERT ** - Autofirewall Report for foo-1

The following events have occured in the last five minutes:

Banning IP after 20 events.



Many thanks to Sander Klein <> for patches, ideas, debian packages, and more.

If you have any sample configurations for UNIX variants or firewall software that I don't have in the tarball please consider sending them in to me. I'll add them to the configuration samples and give you credit both here and in the tarball itself. Many thanks!


Debian packages are kindly provided by Sander Klein, and can be downloaded at his site:

Related Links