I wrote this script to thwart the brute force ssh hackers. It isn't the most efficient but it works. it blocks their ip using iptables. I run it every min via cron
#!/usr/bin/perl
###vars
$lines=5000; #lines to tail $pos=10; #count lines that are positive to kick ip $lp=$lines+1000;
$log=`tail -n $lp /var/log/secure | grep 'Failed password' | tail -n $lines`;
@nage = split (/\n/,$log); foreach $ip (@nage) { $ip=~ /(\d*.\d*.\d*.\d*)/; push @ips,$1; }
@ips_1=@ips; @ips_2=@ips;
#gets a unique ip list foreach $snip (@ips) { $n=0; $t=0; while (@ips_1[$n]) { if ($snip == $ips_1[$n]) { if ($t==0) { #print "$snip==$ips_1[$n]\n"; $move=0; foreach $cnip (@sips) { if ($snip==$cnip) { $move++; } } if ($move==0) { push @sips, $snip; } $t++; } } $n++; } }
#takes the unique list and counts against the full ip list $nn=0; foreach $nip (@sips) { $m=0; $n=0; while (@ips_2[$n]) { if ($nip==@ips_2[$n]) {$m++;} $n++; } if ($pos<$m) { if ($nn==0) { $cur=`/sbin/iptables -L -n`; } if ($cur!~/$nip/) {`/sbin/iptables -t filter -I INPUT -s $nip -j DROP`;} } }
Gerald wrote:
good suggestion.. I limited the users and restricted root.
does anyone know how to change the defualt "login as:" banner to something else?
Gerald
On 12/26/05, Mail List lists@sapience.com wrote:
On Monday 26 December 2005 00:24, Gerald wrote:
It looks like i'm getting a dictionary attack on my system. I moved ssh to another port instead of 22 in hopes that would put a halt to it
You probably don't want to advertise the port you chose either as per your mail.
You may also wish to set:
PermitRootLogin no AllowUsers gerald other1 other2 etc(i.e. limit to users you care about with known strong passwords or keys only as someone else suggested).
DUmb question - did you service sshd restart to make sure your changes were picked up?
\g/
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
-- -Gerald