Saturday, 27 May 2006

Blocking hackers access to SSH

Since putting a Suse 10 box on the internet and allowing SSH through the firewall we have been getting attempts like this on a regular basis:

May 27 09:14:20 nprobe sshd[689]: Did not receive identification string from 140.136.158.182
May 27 09:20:40 nprobe sshd[816]: Invalid user aaa from 140.136.158.182
May 27 09:20:43 nprobe sshd[818]: Invalid user aaa from 140.136.158.182
May 27 09:20:46 nprobe sshd[820]: Invalid user aaa from 140.136.158.182
May 27 09:20:49 nprobe sshd[822]: Invalid user aaaudio from 140.136.158.182
May 27 09:20:52 nprobe sshd[824]: Invalid user aaaudio from 140.136.158.182
May 27 09:20:55 nprobe sshd[826]: Invalid user aaaudio from 140.136.158.182

Found a cool script on the Novell cool solutions web site that scans the system logfile and then blocks access from the systems that have been trying to gain access with invalid user names.

I followed the reccomendation to modify the script for Suse 10 and this worked for me:

#!/bin/bash
LAST_IP=0.0.0.0
COUNT=1

# Set MAXCOUNT to the maximum failures allowed before blacklisting
MAXCOUNT=5

#
# The three lines below put the leading lines in /etc/hosts.allow
# Note: This script overwrites the entire /etc/hosts.allow file.
#

echo '
# /etc/hosts.deny
# See "man tcpd" and "man 5 hosts_access" as well as /etc/hosts.allow
# for a detailed description.
http-rman : ALL EXCEPT LOCAL' > /etc/hosts.deny

#
# Scan the /var/log/messages file for failed login attempts via ssh.
# Parse out the IP address, and count the failure occurances from that IP
# If the IP fails more than 5 times - deny further access
#

for IP in `/bin/grep sshd /var/log/messages|/bin/grep "Invalid user"|/bin/sed 's/^.*from //'` 0.0.0.0; do
if [ ${LAST_IP} == ${IP} ]; then
let COUNT=${COUNT}+1
else
if [ ${COUNT} -ge ${MAXCOUNT} ]; then
echo "ALL: ${LAST_IP}/32" >> /etc/hosts.deny
fi
LAST_IP=${IP}
COUNT=1
fi
done

No comments:

Post a comment