On Mon, 2005-12-26 at 17:56 -0800, jdow wrote:
From: "Christian Motta" chris@agweb.net
I wrote this script to thwart the brute force ssh hackers. It isn't the most efficient but it works. it blocks their ip using iptables. I run it every min via cron
#!/usr/bin/perl
Thanks for the nice script Chris. I may add that to deepen my defenses.
I have found, however, that a simple three line iptables addition seems to work like a champ, except for filling up the log.
A nice dynamic iptables tool to monitor sshd and block attacks is sshdfilter. http://www.csc.liv.ac.uk/~greg/sshdfilter/
I use it on several servers and it works really well to detect and block attacks. With it an attempt to login with an unknown account gets instantly blocked, and with a known account (root or some other user) they only get 6 attempts before it is blocked. Most of the attacks on my systems don't even get 2 attempts before they are blocked. I don't have root enabled for remote access so there is no worry there.
To avoid an enormous long iptables rule list the blocked addresses are unblocked after 3 days.
===8<--- iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: ' $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset ===8<---
I've been taking to looking at where large numbers of rejected connections come from and have been adding them to the firewall manually. Your script can probably be adapted.
(It is amusing how long idiots will keep trying. I had a twit from India trying nearly 10,000 times today before I finally blocked him. He got two chances in that entire set to actually try to guess a password. He made two runs. And right at the start of the two runs he tried and got the predictable password failure. After that for an hour or more at a stretch he simply pounded that reject rule never getting into the system at all. Poor baby. It did prompt me to simply add blanket blocks for much of the APNIC space that's allocated to Asian countries I never expect to visit. It makes life easier.)
{^_-}