Re: autoblocking many ssh failed logins from the same IP....
John Cholewa wrote: Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from 212.88.182.121 port 51218 ssh2 Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from 212.88.182.121 port 51608 ssh2 Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from 212.88.182.121 port 52297 ssh2 I get the above a lot in my logs (except more of it). Each day, a couple hundred failed attempts to log in from one or sometimes two IP addresses shows up. I don't have anything like ipf running, and since this machine is about fifteen hundred miles away from me, I don't want to experiment with software firewalling right now. That known, is there any way to tell sshd (or some more powerful daemon) to stop accepting login attempts from a given IP if it tries and fails to log in too many times in a limited duration (like in the same minute)? I suppose, now that I'm thinking about it, that it'd be best to actually just read the man pages and figure out how to get sshd to ignore any attempt to attach from ports other than 22. I mean, why are other machines trying to ssh in at ports over fifty thousand anyway? -- -JC http://www.livejournal.com/users/jcholewa/ PS: Oh, yeah ... FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT 2003 ; openssh-3.6.1_5 ; openssl-0.9.7d_1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I had this on my FreeBSD 4.10 box as well. sshd can be configured to only allow logins for specific users. Edit /etc/sshd_config to add the following AllowUsers USER_NAME You can have multiple AllowUsers entries if you want more than one user to be able to ssh in. This has worked pretty well for me, although I still get an occasional (once every couple of days) failed login attempt on the one valid user name I've set up. I guess I could use a less guessable user id. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
autoblocking many ssh failed logins from the same IP....
Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from 212.88.182.121 port 51218 ssh2 Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from 212.88.182.121 port 51608 ssh2 Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from 212.88.182.121 port 52297 ssh2 I get the above a lot in my logs (except more of it). Each day, a couple hundred failed attempts to log in from one or sometimes two IP addresses shows up. I don't have anything like ipf running, and since this machine is about fifteen hundred miles away from me, I don't want to experiment with software firewalling right now. That known, is there any way to tell sshd (or some more powerful daemon) to stop accepting login attempts from a given IP if it tries and fails to log in too many times in a limited duration (like in the same minute)? I suppose, now that I'm thinking about it, that it'd be best to actually just read the man pages and figure out how to get sshd to ignore any attempt to attach from ports other than 22. I mean, why are other machines trying to ssh in at ports over fifty thousand anyway? -- -JC http://www.livejournal.com/users/jcholewa/ PS: Oh, yeah ... FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT 2003 ; openssh-3.6.1_5 ; openssl-0.9.7d_1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: autoblocking many ssh failed logins from the same IP....
Below (and atached) is a script I wrote do exactly what you are talking about.
It's commented, so edit to your taste. I have been using to for about 4 months.
Since I am using PF as my firewall, it is customized for that. If you
are using something other then PF, again... edit to your taste.
-Erik-
#!/usr/bin/perl
# created by [EMAIL PROTECTED] 03/05
my $time=localtime();
use strict;
use Time::localtime;
use Mail::Send;
my $hostname=domain.orIP.com;
#The white list that contains either the account or host.
my $whilelist=/home/user/scripts/sshwhitelist;
#LOG to search on
my $logfile=/var/log/auth.log;
#Where to read the current list of blackhole address.
my $blacklist=/etc/pf.blackholes;
#Name of the table in your pf.conf
my $tablename=blackhole;
#Where to store the cache file. This is removed and updated daily
my $cache=/root/.sshprotect.cache;
#Where to log actions taken.
my $log=/root/sshprotect.log;
#Command you want to run in response of a potential attack.
my $command=whois;
my $useip=1; #useful in conjunction with $command which will do
something with the IP.
#comment out if not needed.
#Max attempts a host can have until blocked.
my $attempts=5;
# Set this to run the $command or print a report or email the report,
# also update will update the $blacklist and reload the blackholes table.
# abuse will try to find and email the offending network about the attack
# These can be combind to run all actions:
#my $action=run print;
#my $action=print;
my $action=email run update abuse;
#my $action=print email update;
#my $action=print email;
#Email setup;
my $to=[EMAIL PROTECTED];
my $from=[EMAIL PROTECTED];
my $cc=;
my $subject=Excesssive login attempts;
my $debug=0;
my $host;
my @logs;
my @whtlst;
my %track;
my @blacklist;
my $block=1;
my @abuse;
my @cache;
my $currentcache;
my @runoutput;
my $version=1.2.1beta;
print Version: $version\n if $debug;
#find todays datemask
use vars qw($yr $mon $day $today $mday);
$yr=localtime-year() + 1900;
$mon=localtime-mon() + 1;
$mday=localtime-mday();
if ($mon != /\d\d/) {$mon=0$mon;}
if ($mday 10) {$mday=0$mday;}
$today=$yr$mon$mday;
print $today\n if $debug;
#no Time::localtime;
open (WRITELOG, $log) || die $log $!\n;
open (BLACK,$blacklist) || die $blacklist $!\n;
while (BLACK) {
chomp;
push (@blacklist, $_);
}
close BLACK;
open (WHITE, $whilelist) || die $whilelist $!\n;
while (WHITE) {
chomp;
push (@whtlst,$_);
}
close WHITE;
open (READCACHE, $cache) || print $cache $!\n;
while (READCACHE) {
chomp;
push (@cache, $_);
}
close READCACHE;
open (WRITECACHE, $cache) || print $cache $!\n;
if (@cache[0] $today) {
close WRITECACHE;
system (rm -f $cache);
open (WRITECACHE, $cache) || print $cache $!\n;
print Cache file is out of date @cache[0] $today\n if $debug;
@cache=();
print WRITECACHE $today\n
}
open (LOG, $logfile) || die logfile $!;
while (LOG) {
chomp;
if (
/Failed password for illegal user (.*) from (.*) port/
|| /Failed password for (.*) from (.*) port/
|| /Illegal user (.*) from (.*)/
|| /Did not (receive) identification string from (.*)/
) {
my $account=$1;
my $host=$2;
ckwhtlst($account, $host);
if ($block == 0 ) { next; }
ckcache($host);
if ($block == 0 ) { next; }
ckblklst($host);
if ($block == 0 ) { next; }
$block=1;
if ($track{$host}) {
$track{$host}=$track{$host}+1;
print $host is now $track{$host} user=$account\n if $debug;
} else { $track{$host}=1; }
}
}
close LOG;
for my $host (%track) {
if (!$host) {print Nothing Found\n; exit;}
if ($track{$host} = $attempts) {
push (@abuse,$host);
ckcache($host);
print WRITECACHE $host\n if !$block == 0;
if ($action =~ /print/) { print Host $host, past $attempts
attempted logins\n; }
if ($action =~ /run/ $useip) { (@runoutput=`$command $host`); }
if ($action =~ /run/ !$useip) { (@runoutput=`$command`); }
if ($action =~ /update/) { update($host); }
}
}
#Sends emails
if ($action !~/email/) {
exit;
} elsif (@abuse) {
send_email(@abuse);
}
if ($action !~/abuse/) {
exit;
} elsif (@abuse) {
abuse_email(@abuse);
}
sub ckwhtlst {
(my $account, my $host)[EMAIL PROTECTED];
foreach (@whtlst) {
if (!/$account|$host/) {
$block=1;
return;
} else {
print $host or $account is on the while list.\n if $debug;
$block=0;
return;
}
}
}
sub ckblklst {
my [EMAIL PROTECTED];
foreach (@blacklist) {
if (/$host/) {
print $host $_ is already blacklisted\n if $debug;
$block=0;
return;
} else { $block=1; } #print $host is NOT blacklisted\n if $debug; }
}
}
sub ckcache {
my [EMAIL PROTECTED];
if ([EMAIL PROTECTED]) { $block=1; return;}
foreach (@cache) {
if (/$host/) {
$block=0;
print $host is already cached\n if $debug;
return;
} else { $block=1; } #print $host is not found in cache\n if $debug; }
}
}
sub update {
open (OUT,
RE: autoblocking many ssh failed logins from the same IP....
they are originating from the high ports, arriving on port 22 at your box. this is normal. in a default setup sshd only listens on port 22. -- John Brooks [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Cholewa Sent: Friday, July 01, 2005 8:43 AM To: freebsd-questions@freebsd.org Subject: autoblocking many ssh failed logins from the same IP Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from 212.88.182.121 port 51218 ssh2 Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from 212.88.182.121 port 51608 ssh2 Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from 212.88.182.121 port 52297 ssh2 I get the above a lot in my logs (except more of it). Each day, a couple hundred failed attempts to log in from one or sometimes two IP addresses shows up. I don't have anything like ipf running, and since this machine is about fifteen hundred miles away from me, I don't want to experiment with software firewalling right now. That known, is there any way to tell sshd (or some more powerful daemon) to stop accepting login attempts from a given IP if it tries and fails to log in too many times in a limited duration (like in the same minute)? I suppose, now that I'm thinking about it, that it'd be best to actually just read the man pages and figure out how to get sshd to ignore any attempt to attach from ports other than 22. I mean, why are other machines trying to ssh in at ports over fifty thousand anyway? -- -JC http://www.livejournal.com/users/jcholewa/ PS: Oh, yeah ... FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT 2003 ; openssh-3.6.1_5 ; openssl-0.9.7d_1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: autoblocking many ssh failed logins from the same IP....
he is using 4.8, unless things have changed, pf is not available on 4.x PS: Oh, yeah ... FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT 2003 ; openssh-3.6.1_5 ; openssl-0.9.7d_1 -- John Brooks [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Hornet Sent: Friday, July 01, 2005 9:10 AM To: John Cholewa Cc: freebsd-questions@freebsd.org Subject: Re: autoblocking many ssh failed logins from the same IP Below (and atached) is a script I wrote do exactly what you are talking about. It's commented, so edit to your taste. I have been using to for about 4 months. Since I am using PF as my firewall, it is customized for that. If you are using something other then PF, again... edit to your taste. -Erik- snip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: autoblocking many ssh failed logins from the same IP....
To: freebsd-questions@freebsd.org Subject: autoblocking many ssh failed logins from the same IP Jun 30 10:36:05 phantom sshd[70478]: Failed password for news from 212.88.182.121 port 51218 ssh2 Jun 30 10:36:16 phantom sshd[70500]: Failed password for sshd from 212.88.182.121 port 51608 ssh2 Jun 30 10:36:39 phantom sshd[70569]: Failed password for root from 212.88.182.121 port 52297 ssh2 I get the above a lot in my logs (except more of it). Each day, a couple hundred failed attempts to log in from one or sometimes two IP addresses shows up. I don't have anything like ipf running, and since this machine is about fifteen hundred miles away from me, I don't want to experiment with software firewalling right now. That known, is there any way to tell sshd (or some more powerful daemon) to stop accepting login attempts from a given IP if it tries and fails to log in too many times in a limited duration (like in the same minute)? I suppose, now that I'm thinking about it, that it'd be best to actually just read the man pages and figure out how to get sshd to ignore any attempt to attach from ports other than 22. I mean, why are other machines trying to ssh in at ports over fifty thousand anyway? -- -JC http://www.livejournal.com/users/jcholewa/ PS: Oh, yeah ... FreeBSD 4.8-RELEASE #0: Thu Apr 3 10:53:38 GMT 2003 ; openssh-3.6.1_5 ; openssl-0.9.7d_1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
