Looks like someone had the same idea for ssh blocking
Denyhosts parses your log
files and adds ssh attack automated attack attempts to tcp_wrappers'
/etc/hosts.deny. This is the same concept as this
little shell script I cooked up. Of course my little script was derived from
another script specific to openbsd and it's pf firewall.
Denyhosts is pretty much the same idea as mine but it uses python rather
than a shell script. Python is common enough on most platforms but some
non-linux platforms may not have it within installing 3rd party resources.
The attacks on non-vulnerable machines with sshd running are harmless enough,
but the extra layer can't hurt. And if a later vuln is discovered, you've
already got a list of compromised hosts blocked out via tcp_wrappers.
[/Computers/Security/#denyhosts.html]
Comments (1)
ssh blocker script for TCP Wrappers
Since this past summer, compromised machines have been attempting to brute
force user accounts via ssh. Mostly this is annoying but it would be nice to
detect and block these IPs. Francisco de Borja Lopez Rio made a Python script
that watches /var/log/authlog on OpenBSD and adds IPs to a filter table for
OpenBSD's pf. Script can be found here.
Later Juan J. Martinez used the same concept to create a simple shell script to behave similarly.
While this is nice, some of my own bastion hosts running ssh are not OpenBSD
machines and thus cannot run pf. So I modified Juan's script to use Weitse
Venema's ubiquitous tcp wrappers instead. The bash shell script also expects
GNU variants of cat, echo, awk, etc. but should be easily modifiable to
operate on, say, Solaris. You can get it right here. It would
also be relatively easy to edit to use Linux iptables instead.
Incidently, there may be some other, perhaps better approaches for dealing with this.
One is to only allow key-based authentication instead of simple password
authentication. Another might be to run ssh on a port other than 22. The
first option is probably the most secure and some useful details can be found
here. Running
somewhere other than 22 may be out of the question and automated attack
scripts may use port scanning to find running sshd's rather than assuming the
well-known service port.
If you don't need to ssh from arbitrary hosts, then you should be blocking
that at the firewall level, though you can add it to hosts.deny as well. Since
this is IP based, attackers that can figure out your "whitelist" allowed
machine IPs could utilize spoofing for a determined attack. The attacks we're
blocking here are almost certainly automated and more of a nuisance.
Restricting logins to key-based authentication only should be considered. This
script or one of the firewall scripts noted above could then be added as well
to block automated nuisance attempts. For a little extra obscurity, Port Knocking could be
layered into the mix....
Download link: ssh_blocker_wrap-sh.tar.gz
[/Computers/Security/#ssh_blocker_wrap-sh.html]
Comments (0)
|