|Nix Bits -> Computers -> Security|
Mon, 06 Jun 2005
Denyhosts parses your log files and adds ssh attack automated attack attempts to tcp_wrappers' /etc/hosts.deny. This is the same concept as this little shell script I cooked up. Of course my little script was derived from another script specific to openbsd and it's pf firewall.
Denyhosts is pretty much the same idea as mine but it uses python rather than a shell script. Python is common enough on most platforms but some non-linux platforms may not have it within installing 3rd party resources. The attacks on non-vulnerable machines with sshd running are harmless enough, but the extra layer can't hurt. And if a later vuln is discovered, you've already got a list of compromised hosts blocked out via tcp_wrappers.Mon, 03 Jan 2005
Since this past summer, compromised machines have been attempting to brute force user accounts via ssh. Mostly this is annoying but it would be nice to detect and block these IPs. Francisco de Borja Lopez Rio made a Python script that watches /var/log/authlog on OpenBSD and adds IPs to a filter table for OpenBSD's pf. Script can be found here.
Later Juan J. Martinez used the same concept to create a simple shell script to behave similarly. While this is nice, some of my own bastion hosts running ssh are not OpenBSD machines and thus cannot run pf. So I modified Juan's script to use Weitse Venema's ubiquitous tcp wrappers instead. The bash shell script also expects GNU variants of cat, echo, awk, etc. but should be easily modifiable to operate on, say, Solaris. You can get it right here. It would also be relatively easy to edit to use Linux iptables instead.
Incidently, there may be some other, perhaps better approaches for dealing with this. One is to only allow key-based authentication instead of simple password authentication. Another might be to run ssh on a port other than 22. The first option is probably the most secure and some useful details can be found here. Running somewhere other than 22 may be out of the question and automated attack scripts may use port scanning to find running sshd's rather than assuming the well-known service port.
If you don't need to ssh from arbitrary hosts, then you should be blocking that at the firewall level, though you can add it to hosts.deny as well. Since this is IP based, attackers that can figure out your "whitelist" allowed machine IPs could utilize spoofing for a determined attack. The attacks we're blocking here are almost certainly automated and more of a nuisance. Restricting logins to key-based authentication only should be considered. This script or one of the firewall scripts noted above could then be added as well to block automated nuisance attempts. For a little extra obscurity, Port Knocking could be layered into the mix....
Download link: ssh_blocker_wrap-sh.tar.gz