Welcome to It-Slav.Net blog
Peter Andersson
peter@it-slav.net

I've already got a female to worry about. Her name is the Enterprise.
-- Kirk, "The Corbomite Maneuver", stardate 1514.0
09
Feb

My firewall get alot of failed ssh logins.

This is a typical log message in /var/log/authlog

Feb  9 20:15:49 pedro sshd[30934]: Failed password for root from 67.205.85.119 port 35603 ssh2
Feb  9 20:15:49 pedro sshd[2656]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:51 pedro sshd[15299]: Failed password for root from 67.205.85.119 port 35753 ssh2
Feb  9 20:15:51 pedro sshd[15791]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:53 pedro sshd[9043]: Failed password for root from 67.205.85.119 port 35882 ssh2
Feb  9 20:15:53 pedro sshd[31484]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:54 pedro sshd[27717]: Failed password for root from 67.205.85.119 port 36030 ssh2
Feb  9 20:15:55 pedro sshd[30185]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:56 pedro sshd[27718]: Failed password for root from 67.205.85.119 port 36164 ssh2
Feb  9 20:15:56 pedro sshd[28005]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:58 pedro sshd[30648]: Failed password for root from 67.205.85.119 port 36314 ssh2
Feb  9 20:15:58 pedro sshd[21087]: Received disconnect from 67.205.85.119: 11: Bye Bye

Of course this is a script kiddie that tries to break into my firewall just because it answers on port 22 and it is annoying. One way of make it a little harder to break in is by let the packetfilter drop all packages that comes from an ip-address that did this.

This one way of doing it.


Create a pf blacklist /etc/pf.conf

–snipp–

table <ssh_blacklist> persist file "/var/pf/ssh_blacklist"
...
block in quick log on $ext_if from <ssh_blacklist> to any

–snipp–


Create a script that detects failed ssh breakin attempts and updates the blacklist

root@pedro:/var/log# cat /root/scripts/blockbadssh.sh
#!/bin/sh
logger "Check for bad ssh behavior"
PATH=/bin:/usr/bin
BL=/var/pf/ssh_blacklist
TEMPFILE=$(mktemp /tmp/bl_XXXXXX) || exit 1
TEMPFILE2=$(mktemp /tmp/bl2_XXXXXX) || exit 1

#cp $BL $TEMPFILE
grep "Invalid user" /var/log/authlog | awk '{print $10}' | sort | uniq > $TEMPFILE2
grep "Failed password for invalid" /var/log/authlog | awk '{print $13}' | sort | uniq  >> $TEMPFILE2
grep "Failed password for root" /var/log/authlog | awk '{print $11}' | sort | uniq  >> $TEMPFILE2

sort $TEMPFILE2 |uniq > $TEMPFILE
#echo "Nu är TEMPFILE"
#cat $TEMPFILE

#cat $BL >> $TEMPFILE
for i in `cat $TEMPFILE`
do
  grep $i $BL>/dev/null
  if [ "$?" == "1" ]
  then
    logger "Added $i to ssh-blacklist"
    echo "Added $i to ssh-blacklist"
  fi
done

cat $BL >> $TEMPFILE
sort $TEMPFILE | uniq > $BL

rm $TEMPFILE
rm $TEMPFILE2

/sbin/pfctl -t ssh_blacklist -Treplace -f $BL 2>&1 | grep -v "no changes"

Make it run every minute

root@pedro:/var/log# crontab -l 
*     *       *       *       *       /root/scripts/blockbadssh.sh

I know this is a dirty way of doing it and it is a good idea to have another pf rule that accept traffic from well known hosts so you do not get blocked because you failed a login.

Share

Leave a Reply


× nine = 63





Book reviews
FreePBX 2.5
Powerful Telephony Solutions






Asterisk 1.6
Build a feature rich telephony system with Asterisk






Learning NAGIOS 3.0





Cacti 0.8 Network Monitoring,
Monitor your network with ease!