ssh security

Christian Motta chris at agweb.net
Tue Dec 27 01:42:27 UTC 2005 

I wrote this script to thwart the brute force ssh hackers.  It isn't the 
most efficient but it works. it blocks their ip using iptables. I run it 
every min via cron



#!/usr/bin/perl

###vars

$lines=5000; #lines to tail
$pos=10; #count lines that are positive to kick ip
$lp=$lines+1000;


$log=`tail -n $lp /var/log/secure | grep 'Failed password' | tail -n 
$lines`;


@nage = split (/\n/,$log);
foreach $ip (@nage) {
        $ip=~ /(\d*\.\d*\.\d*\.\d*)/;
        push @ips,$1;
}

@ips_1=@ips;
@ips_2=@ips;

#gets a unique ip list
foreach $snip (@ips) {
        $n=0;
        $t=0;
        while (@ips_1[$n]) {
                if ($snip == $ips_1[$n]) {
                        if ($t==0) { #print "$snip==$ips_1[$n]\n";
                                $move=0;
                                foreach $cnip (@sips) {
                                        if ($snip==$cnip) {
                                                $move++;
                                        }
                                }
                                if ($move==0) {
                                        push @sips, $snip;
                                }
                                $t++;
                        }
                }
                $n++;
        }
}


#takes the unique list and counts against the full ip list
$nn=0;
foreach $nip (@sips) {
        $m=0;
        $n=0;
        while (@ips_2[$n]) {
                if ($nip==@ips_2[$n]) {$m++;}
                $n++;
        }
        if ($pos<$m) {
                if ($nn==0) {
                        $cur=`/sbin/iptables -L -n`;
                }
                if ($cur!~/$nip/) {`/sbin/iptables -t filter -I INPUT -s 
$nip -j DROP`;}
        }
}

Gerald wrote:

>good suggestion.. I limited the users and restricted root.
>
>does anyone know how to change the defualt "login as:" banner to something else?
>
>Gerald
>
>On 12/26/05, Mail List <lists at sapience.com> wrote:
>  
>
>>On Monday 26 December 2005 00:24, Gerald wrote:
>>    
>>
>>>It looks like i'm getting a dictionary attack on my system. I moved
>>>ssh to another port instead of 22 in hopes that would put a halt to it
>>>      
>>>
>>  You probably don't want to advertise the port you chose either as per your
>>mail.
>>
>>   You may also wish to set:
>>
>>     PermitRootLogin no
>>     AllowUsers gerald other1 other2 etc
>>
>>  (i.e. limit to users you care about with known strong passwords or keys only
>>as someone else suggested).
>>
>>  DUmb question - did you service sshd restart to make sure your changes were
>>picked up?
>>
>> \g/
>>
>>--
>>fedora-list mailing list
>>fedora-list at redhat.com
>>To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>
>>    
>>
>
>
>--
>-Gerald
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20051226/c2aa30f0/attachment-0002.html

More information about the users mailing list