Re: DDOS attack

Tue, 04 Jul 2006 07:52:33 -0700 

Hi.

You can bind ssh to another port and/or you can play with a little scripting
and the excellent packet filter. I run a script from cron that greps the
IP addresses from the sshscans, dups them in an file and a pf table
uses this file to drop connections from these IPs. Depending on the
type these IP addresses will be removed after a specific amount of time.

The script is really stupid and easy:

#!/bin/sh
exec 2>&1

LOGTAIL=/usr/local/bin/logtail

PF_TABLE=sshscanners

# Penalties:
PENALTY_SCAN=1.0
PENALTY_INVALID_USER=2.0
PENALTY_ROOT_ACCESS=4.0

# Time to expire
TTE_BLACK_LIST=43200 # 12 hours

TMPFILE=/tmp/authlog.tail.$$
NOW=`date +'%s'`

$LOGTAIL /var/log/authlog > $TMPFILE

grep 'Did not receive identification string from' $TMPFILE | awk -v
SCORE=$PENALTY_SCAN '{print $12,SCORE;}' | grep -v '[a-zA-Z]' | sort |
uniq -c > /tmp/sshd_no_id.$$
grep 'Invalid user' $TMPFILE | awk -v SCORE=$PENALTY_INVALID_USER
'{print $10,SCORE;}' | grep -v '[a-zA-Z]' | sort | uniq -c >
/tmp/sshd_invalid_users.$$
grep 'Failed password for root from' $TMPFILE | awk -v
SCORE=$PENALTY_ROOT_ACCESS '{print $11,SCORE;}' | grep -v '[a-zA-Z]' |
sort | uniq -c > /tmp/sshd_root_hackers.$$
cat /tmp/sshd_root_hackers.$$ /tmp/sshd_invalid_users.$$
/tmp/sshd_no_id.$$ | awk -v STAMP=$NOW '{bastards[$2]+=$1*$3;} END{for
(ip in bastards) {print ip" # "bastards[ip]" "STAMP;}}' >
/tmp/new_bastards.$$

cp /etc/pf.d/sshscans /tmp/sshscans.$$

echo "Updating table ${PF_TABLE}: "
echo ""

cat /tmp/sshscans.$$ /tmp/new_bastards.$$ | grep '^[0-9]' | awk -v
NOW=$NOW -v TTE=$TTE_BLACK_LIST '{if ((NOW-$4)<TTE*$3) {print $0;}}' >
/etc/pf.d/sshscans
/sbin/pfctl -t $PF_TABLE -T replace -f /etc/pf.d/sshscans -v | grep -v
'^X' | sed -e 's/^A /Adding /g' -e 's/`D /Deleting /g' 2>&1
echo ""
/bin/rm -f /tmp/sshd_root_hackers.$$ /tmp/sshd_invalid_users.$$
/tmp/sshd_no_id.$$ /tmp/new_bastards.$$ $TMPFILE

pf.conf defines a table with the addresse build from that file and drops them:

[... snipp ...]
table <sshscanners> file "/etc/pf.d/sshscans" persist
[...]
block return-rst in log quick on $ext_if proto tcp from <sshscanners>
to any port 22
[... snipp ...]

This works for me but zour mileage may vary.

HTH,

Andreas.

On 7/4/06, sonjaya <[EMAIL PROTECTED]> wrote:

Dear all

 How to blok ddos/Flooding/ssh brute attack  with pf .



-sonjaya-





--
Hobbes : Shouldn't we read the instructions?
Calvin : Do I look like a sissy?

Reply via email to