ssh blocker script for TCP Wrappers
Since this past summer, compromised machines have been attempting to brute
force user accounts via ssh. Mostly this is annoying but it would be nice to
detect and block these IPs. Francisco de Borja Lopez Rio made a Python script
that watches /var/log/authlog on OpenBSD and adds IPs to a filter table for
OpenBSD's pf. Script can be found here.
Later Juan J. Martinez used the same concept to create a simple shell script to behave similarly.
While this is nice, some of my own bastion hosts running ssh are not OpenBSD
machines and thus cannot run pf. So I modified Juan's script to use Weitse
Venema's ubiquitous tcp wrappers instead. The bash shell script also expects
GNU variants of cat, echo, awk, etc. but should be easily modifiable to
operate on, say, Solaris. You can get it right here. It would
also be relatively easy to edit to use Linux iptables instead.
Incidently, there may be some other, perhaps better approaches for dealing with this.
One is to only allow key-based authentication instead of simple password
authentication. Another might be to run ssh on a port other than 22. The
first option is probably the most secure and some useful details can be found
here. Running
somewhere other than 22 may be out of the question and automated attack
scripts may use port scanning to find running sshd's rather than assuming the
well-known service port.
If you don't need to ssh from arbitrary hosts, then you should be blocking
that at the firewall level, though you can add it to hosts.deny as well. Since
this is IP based, attackers that can figure out your "whitelist" allowed
machine IPs could utilize spoofing for a determined attack. The attacks we're
blocking here are almost certainly automated and more of a nuisance.
Restricting logins to key-based authentication only should be considered. This
script or one of the firewall scripts noted above could then be added as well
to block automated nuisance attempts. For a little extra obscurity, Port Knocking could be
layered into the mix....
Download link: ssh_blocker_wrap-sh.tar.gz
[/Computers/Security/#ssh_blocker_wrap-sh.html]
Comments (0)
|