Date: Fri, 31 Mar 2006 10:22:59 -0500 From: "Bob Johnson" <fbsdlists@gmail.com> To: "Nathan Vidican" <nvidican@wmptl.com> Cc: questions@freebsd.org, bobo1002@mailtest2.eng.ufl.edu Subject: Re: repeated ssh login attempts/failure/break-in attempts from kiddy script Message-ID: <54db43990603310722s2ef33dar3ef5f5d8b4856a99@mail.gmail.com> In-Reply-To: <442D31C6.5050700@wmptl.com> References: <442D31C6.5050700@wmptl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/31/06, Nathan Vidican <nvidican@wmptl.com> wrote: > Noted recently in auth.log, a string of connection attempts repeated/fail= ed > over > and over from one host - looks like a script someone's running, tries all > kinds > of various usernames, etc... attempts like 100-200 logins, fails and goes > away. This is common. IIRC, it's a worm that infects Linux systems. > here and just happen to notice them - simple ipfw add deny... does the > trick, > but is there not a way to limit the login attempts for a certain period o= f > time? > > ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ minutes, > deny > all attempts and drop connection from said IP... possible? I use the following very crude solution, which is loosely based on a solution someone else posted somewhere (I don't remember). It blocks any IP that does SSH logins to nonexistent users more than nine times in a five minute window. In /etc/crontab, you need something like: # Filter any system that generates excessive illegal user login attempts */5 * * * * root /usr/local/sbin/sshblock And the sshblock script looks like: PATH=3D/bin:/sbin:/usr/bin:/usr/sbin cat /var/log/auth.log | grep "Illegal user" | rev | cut -d\ -f 1 | rev | sort | uniq -c | \ ( while read count ip; do if [ $count -gt 9 ]; then if ! ipfw table 1 list | grep -q $ip ; then echo blocking $ip for $count bogus ssh login attempts in past 5 min= utes logger -p auth.warn blocking $ip for $count bogus ssh attempts in five minutes ipfw table 1 add $ip fi fi done ) And in your ipfw table you need something like: deny ip from table(1) to any in addition to whatever else you have. I put it just before my allow tcp from any to any established line. The echo command in the script causes cron to email you an alert every time someone is blocked, take that out if you don't want it. If you reboot the system, this will forget all of the blocked addresses, read the entire log file, and send new notices about old attacks, but other than that it works well for me. People have written more sophisticated scripts that store the IPs in files to restore the list after a reboot, but I rarely reboot so I don't really need that. A search on Google should turn up some of them. Some attackers manage to get in a few hundred hits in their five minute window, but it's much better than the thousands (sometimes tens of thousands) they used to hit me with during hours of attacks. - Bob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54db43990603310722s2ef33dar3ef5f5d8b4856a99>