ssh security
Christian Motta
chris at agweb.net
Tue Dec 27 01:42:27 UTC 2005
I wrote this script to thwart the brute force ssh hackers. It isn't the
most efficient but it works. it blocks their ip using iptables. I run it
every min via cron
#!/usr/bin/perl
###vars
$lines=5000; #lines to tail
$pos=10; #count lines that are positive to kick ip
$lp=$lines+1000;
$log=`tail -n $lp /var/log/secure | grep 'Failed password' | tail -n
$lines`;
@nage = split (/\n/,$log);
foreach $ip (@nage) {
$ip=~ /(\d*\.\d*\.\d*\.\d*)/;
push @ips,$1;
}
@ips_1=@ips;
@ips_2=@ips;
#gets a unique ip list
foreach $snip (@ips) {
$n=0;
$t=0;
while (@ips_1[$n]) {
if ($snip == $ips_1[$n]) {
if ($t==0) { #print "$snip==$ips_1[$n]\n";
$move=0;
foreach $cnip (@sips) {
if ($snip==$cnip) {
$move++;
}
}
if ($move==0) {
push @sips, $snip;
}
$t++;
}
}
$n++;
}
}
#takes the unique list and counts against the full ip list
$nn=0;
foreach $nip (@sips) {
$m=0;
$n=0;
while (@ips_2[$n]) {
if ($nip==@ips_2[$n]) {$m++;}
$n++;
}
if ($pos<$m) {
if ($nn==0) {
$cur=`/sbin/iptables -L -n`;
}
if ($cur!~/$nip/) {`/sbin/iptables -t filter -I INPUT -s
$nip -j DROP`;}
}
}
Gerald wrote:
>good suggestion.. I limited the users and restricted root.
>
>does anyone know how to change the defualt "login as:" banner to something else?
>
>Gerald
>
>On 12/26/05, Mail List <lists at sapience.com> wrote:
>
>
>>On Monday 26 December 2005 00:24, Gerald wrote:
>>
>>
>>>It looks like i'm getting a dictionary attack on my system. I moved
>>>ssh to another port instead of 22 in hopes that would put a halt to it
>>>
>>>
>> You probably don't want to advertise the port you chose either as per your
>>mail.
>>
>> You may also wish to set:
>>
>> PermitRootLogin no
>> AllowUsers gerald other1 other2 etc
>>
>> (i.e. limit to users you care about with known strong passwords or keys only
>>as someone else suggested).
>>
>> DUmb question - did you service sshd restart to make sure your changes were
>>picked up?
>>
>> \g/
>>
>>--
>>fedora-list mailing list
>>fedora-list at redhat.com
>>To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>
>>
>>
>
>
>--
>-Gerald
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20051226/c2aa30f0/attachment-0002.html
More information about the users
mailing list