Re: Repeated attacks via SSH

From: Matthew Dillon (dillon_at_apollo.backplane.com)
Date: 10/05/05

  • Next message: freebsd-security_at_auscert.org.au: "Re: Repeated attacks via SSH"
    Date: Wed, 5 Oct 2005 09:26:56 -0700 (PDT)
    To: Garrett Wollman <wollman@csail.mit.edu>
    
    

    It annoys me to no end so this is what I do:

    /etc/syslog.conf:

        auth.info;authpriv.info |exec /root/adm/sshlockout

    And then I wrote a little program to add a rule to the firewall (you want
    to modify it to add after any of your optimized flow-through rules because
    long chains can occur).

    I clean out the rule (2100 in my case) about once a week so the list doesn't
    get too big.

    Of course, if you have a lot of users they might trip over this occassionaly
    themselves, it's designed for administrative machines and servers, not
    general shell boxes. YMMV.

    Most of the attacks appear to come from compromised windows boxes...
    probably the same BOT networks that spammers use to send spam.

                                                    -Matt

    /*
     * Use: pipe syslog auth output to this program.
     *
     * Detects failed ssh login attempts and maps out the originating IP.
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <string.h>
    #include <stdarg.h>
    #include <syslog.h>

    int
    main(int ac, char **av)
    {
        char buf[1024];
        char *str;
        int n1;
        int n2;
        int n3;
        int n4;

        openlog("sshlockout", LOG_PID|LOG_CONS, LOG_AUTH);
        syslog(LOG_ERR, "sshlockout starting up");
        freopen("/dev/null", "w", stdout);
        freopen("/dev/null", "w", stderr);

        while (fgets(buf, sizeof(buf), stdin) != NULL) {
            if (strstr(buf, "sshd") == NULL)
                continue;
            if (strstr(buf, "Failed password") == NULL)
                continue;
            if ((str = strstr(buf, "Failed password for root from")) != NULL ||
                (str = strstr(buf, "Failed password for admin from")) != NULL
            ) {
                while (*str && (*str < '0' || *str > '9'))
                    ++str;
                if (sscanf(str, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) {
                    syslog(LOG_ERR, "Detected ssh password login attempt for root, locking out %d.%d.%d.%d\n", n1, n2, n3, n4);
                    snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4);
                    system(buf);
                }
                continue;
            }
            if ((str = strstr(buf, "Failed password for invalid user")) != NULL) {
                str += 32;
                while (*str == ' ')
                    ++str;
                while (*str && *str != ' ')
                    ++str;
                if (strncmp(str, " from", 5) == 0 &&
                    sscanf(str + 5, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) {
                    syslog(LOG_ERR, "Detected ssh password login attempt for an invalid user, locking out %d.%d.%d.%d\n", n1, n2, n3, n4);
                    snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4);
                    system(buf);
                }
            }
        }
        syslog(LOG_ERR, "sshlockout exiting");
        return(0);
    }

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: freebsd-security_at_auscert.org.au: "Re: Repeated attacks via SSH"