MaxieZ wrote:
On Mon, Oct 03, 2005 at 10:10:16AM +1300, Jeremy Brake wrote:
Hey all,
I'm looking for an app/script which can monitor for failed ssh logins,
and block using IPTables for $time after $number of failed logins (an
exclusion list would be handy as well) so that I can put a quick stop to
these niggly brute-force ssh "attacks" I seem to be getting more and
more often.
http://kodu.neti.ee/~risto/sec/
Jeremy,
I agree with MaxieZ, a combination of SEC and Iptables work nicely in
this situation and could be extended to other services like FTP, IMAP,
Web authentication, etc. I personally do not feel that security through
obscurity by changing the port numbers is a viable solution. Here is
what I do:
First, I have SEC scanning my logs using the two rules from the attached
sec.rules file. The first rule looks for connections to the sshd port
that do not send an identification string. If it sees this message in
syslog, it then uses iptables to insert a rule to drop all packets from
the source address. The second rule looks for attempted logins using an
invalid user id. It then creates an iptables rule like the first one.
I added in a commented out action line for both of those rules which
creates a 24 hour context, which after 24 hours will delete the iptable
rule it created for that ip address.
Second, I have three normal iptables rules which rate limit the number
of connections to port 22. This is to defend against brute force
attacks on a valid account.
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --update --seconds 600 --hitcount 2 -j LOG --log-level 4
--log-prefix "iptables-drop: "
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --update --seconds 600 --hitcount 2 -j DROP
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent --set
I highly recommend SEC for this type of log monitoring.
-dave
# kill IP address trying to log in with invalid account
# Sep 19 05:40:25 apathy sshd[13234]: Did not receive identification string
from 69.60.114.13
type= single
continue= dontcont
ptype= regexp
pattern= sshd\[[0-9]+\]: Did not receive identification string from
([A-z0-9._-]+)
desc= ssh_no_ident_$1
action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $1 -j DROP; write
/var/log/sec.log "%t iptables-insert: dropping all traffic from $1 because no
identification string was given"
# Use this action instead if you would like contexts to automatically be
cleaned after 24 hours
#action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $1 -j DROP; write
/var/log/sec.log "%t iptables-insert: dropping all traffic from $1 because no
identification string was given"; create ssh_no_ident_$1 86400 shellcmd
/sbin/iptables -D INPUT -i eth0 -s $1 -j DROP
# Sep 19 05:50:23 apathy sshd[13252]: Invalid user foto from 69.60.114.13
type= single
continue= dontcont
ptype= regexp
pattern= sshd\[[0-9]+\]: Invalid user ([A-z0-9._-]+) from ([A-z0-9._-]+)
desc= ssh_invalid_user_$1_$2
action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $2 -j DROP; write
/var/log/sec.log "%t iptables-insert: dropping all traffic from $2 because
attempted to log in with invalid user $1"
# Use this action instead if you would like contexts to automatically be
cleaned after 24 hours
#action= shellcmd /sbin/iptables -I INPUT -i eth0 -s $2 -j DROP; write
/var/log/sec.log "%t iptables-insert: dropping all traffic from $2 because
attempted to log in with invalid user $1"; create ssh_invalid_user_$1_$2 86400
shellcmd /sbin/iptables -D INPUT -i eth0 -s $2 -j DROP
