Saturday, 27 May 2006

Blocking hackers access to SSH

Since putting a Suse 10 box on the internet and allowing SSH through the firewall we have been getting attempts like this on a regular basis:

May 27 09:14:20 nprobe sshd[689]: Did not receive identification string from
May 27 09:20:40 nprobe sshd[816]: Invalid user aaa from
May 27 09:20:43 nprobe sshd[818]: Invalid user aaa from
May 27 09:20:46 nprobe sshd[820]: Invalid user aaa from
May 27 09:20:49 nprobe sshd[822]: Invalid user aaaudio from
May 27 09:20:52 nprobe sshd[824]: Invalid user aaaudio from
May 27 09:20:55 nprobe sshd[826]: Invalid user aaaudio from

Found a cool script on the Novell cool solutions web site that scans the system logfile and then blocks access from the systems that have been trying to gain access with invalid user names.

I followed the reccomendation to modify the script for Suse 10 and this worked for me:


# Set MAXCOUNT to the maximum failures allowed before blacklisting

# The three lines below put the leading lines in /etc/hosts.allow
# Note: This script overwrites the entire /etc/hosts.allow file.

echo '
# /etc/hosts.deny
# See "man tcpd" and "man 5 hosts_access" as well as /etc/hosts.allow
# for a detailed description.
http-rman : ALL EXCEPT LOCAL' > /etc/hosts.deny

# Scan the /var/log/messages file for failed login attempts via ssh.
# Parse out the IP address, and count the failure occurances from that IP
# If the IP fails more than 5 times - deny further access

for IP in `/bin/grep sshd /var/log/messages|/bin/grep "Invalid user"|/bin/sed 's/^.*from //'`; do
if [ ${LAST_IP} == ${IP} ]; then
let COUNT=${COUNT}+1
if [ ${COUNT} -ge ${MAXCOUNT} ]; then
echo "ALL: ${LAST_IP}/32" >> /etc/hosts.deny

No comments:

Post a Comment