« Wedding and Honeymoon Pics are up
Emacs keybindings for firefox »

ssh blocker script for TCP Wrappers

Closed Published by January 3rd, 2005 in Security

Since this past summer, compromised machines have been attempting to brute force user accounts via ssh. Mostly this is annoying but it would be nice to detect and block these IPs. Francisco de Borja Lopez Rio made a Python script that watches /var/log/authlog on OpenBSD and adds IPs to a filter table for OpenBSD’s pf. Script can be found here.

Later Juan J. Martinez used the same concept to create a simple shell script to behave similarly. While this is nice, some of my own bastion hosts running ssh are not OpenBSD machines and thus cannot run pf. So I modified Juan’s script to use Weitse Venema’s ubiquitous tcp wrappers instead. The bash shell script also expects GNU variants of cat, echo, awk, etc. but should be easily modifiable to operate on, say, Solaris. You can get it right here. It would also be relatively easy to edit to use Linux iptables instead.

Incidently, there may be some other, perhaps better approaches for dealing with this. One is to only allow key-based authentication instead of simple password authentication. Another might be to run ssh on a port other than 22. The first option is probably the most secure and some useful details can be found here. Running somewhere other than 22 may be out of the question and automated attack scripts may use port scanning to find running sshd’s rather than assuming the well-known service port.

If you don’t need to ssh from arbitrary hosts, then you should be blocking that at the firewall level, though you can add it to hosts.deny as well. Since this is IP based, attackers that can figure out your “whitelist” allowed machine IPs could utilize spoofing for a determined attack. The attacks we’re blocking here are almost certainly automated and more of a nuisance. Restricting logins to key-based authentication only should be considered. This script or one of the firewall scripts noted above could then be added as well to block automated nuisance attempts. For a little extra obscurity, Port Knocking could be layered into the mix….

Download link: ssh_blocker_wrap-sh.tar.gz

Scott Harney

   (GPG key)
<>

Resume


An online copy of my resume (PDF)

Photo Album


My current pictures via Flickr.
Older family pictures.

    Wedding


    I got married on 9/4/2004. So click for details, already.

    Old stuff


    Links and writings from older versions of this site
    Old stuff
    Oldest stuff

    Free DNS