ipqbdb: IPQ BDB filter
https://savannah.nongnu.org/projects/ipqbdb/

This package works with iptables, on Linux kernels.  It consists of a 
few simple programs designed to maintain a Berkeley DB of IPv4 
addresses without admin intervention.

Man pages are installed for each program.  In addition, there are:

README               this file
INSTALL              install, upgrade, test, and configure tutorial
READMEphp            Apache and Mediawiki PHP examples
READMEiptables-list  daily use of iptables -L -Z
READMEcrash          how to diagnose and recover from crashes
READMEconcurrency    Berkeley Concurrent Data Store (CDB) model
READMEreportcategory reporting to an external abuse database

The rest of this file explains the main concept and the requirements.


CONCEPT
=======
The daemon is inspired by the STOCKADE daemon (see link below.)  Each IP record
features a decay and a probability.  Banning an IP either inserts a new record
with the given probability, or doubles the probability of an existing record.
Probabilities define the likelihood that a packet will be blocked.  They
decrease automatically:  The decay is the time in which a probability halves.
It is possible to whitelist IP addresses in order to establish their initial
decay.  The decay is increased whenever the probability passes a certain
threshold upward, so that repeatedly banned IPs end up with a slower decay.

Banning is accomplished by a command line utility and a log parsing daemon.  In
that respect, ipqbdb is a light version of fail2ban (see link below).

While decays are expressed as floating point values, probabilities are integers
in the range 0-RAND_MAX.  However, the probability for newly inserted records
is specified giving a count, i.e. a number that defines the initial probability
such that doubling it for that many times results in a probability of 100%.


REQUIREMENTS AND OTHER DETAILS
==============================

Programs:
ibd-judge    receives queued packets from the kernel and issues verdicts.
ibd-parse    parses log lines and inserts caught IPs in the database.
ibd-ban      ban a single ip, also inserts reason descriptions.
ibd-del      lists or deletes selected database records.
ibd-white    reads or writes a whitelist database.
ibd-config   displays compile-time configuration values.
ibd-category set external report category in description records.

Config files:
/etc/ipqbdb.popt
/etc/ipqbdb-pcre.conf
/etc/ipqbdb-connkill.cmd
any whitelist text that you supply to ibd-white

Databases:
block.db    the IPs being blocked
white.db    the whitelisted IPs
descr.db    the reason descriptions and statistics
__db.00?    the Bereley DB Environment (CDB)

See also:
stockade    http://caia.swin.edu.au/stockade/
fail2ban    http://www.fail2ban.org/wiki/index.php/Main_Page

Software required:
Linux kernel 2.6.14 or later, and Netfilter - http://www.netfilter.org/about.html
 your kernel must be compiled with the relevant CONFIG_NETFILTER* settings
 (check grep CONFIG_NETFILTER /boot/config-$(uname -r) | less
 CONFIG_NETFILTER_DEBUG is not much useful, though.)

Libnetfilter_queue - http://www.netfilter.org/projects/libnetfilter_queue/
 (this in turn requires libnfnetlink)
 You are *STRONGLY* advised to use libnetfilter_queue 0.0.17 or better,
 otherwise queue errors may freeze the daemon (see READMEcrash); you may want
 to see also "Installing libnetfilter_queue on lenny" in INSTALL, if using
 older Debian distros.

Berkeley DB 4.6 or later - http://www.oracle.com/technology/software/products/berkeley-db/

PCRE e.g. libpcre3-dev (debian) package - http://www.pcre.org/

Popt e.g. libpopt-dev (debian) package - http://directory.fsf.org/project/popt/

Curl (optional) e.g. libcurl4-gnutls-dev (debian) - http://curl.haxx.se/libcurl/
