Re: [SLE] stopping dictionary attacks on sshd
Permissions on the script: -r-xr-xr-x 1 [my username] users 961 2005-11-07 19:09 ssh-block.sh The cron job entry: */1 * * * * /home/[my username]/cronjobs/ssh-block.sh If I ls -l on /etc/hosts.deny, I can see that the file is indeed being recreated every time the script runs, based on the time stamp. If I su to root and run it manually, it runs fine as far as I can tell - nothing is echoed to the screen, there are no error messages, and I'm returned to the prompt after a few seconds. I did notice the script was grepping for "Illegal user" and the log entries actually say "Invalid user", so I changed that in the script...still no IP addresses listed in /etc/hosts.deny, though. I'm nowhere near enough of a regex expert to be able to tell if the script is actually looking for the pattern it's supposed to be finding.
On Monday 07 November 2005 09:04 pm, Dan Abernathy wrote:
Permissions on the script: -r-xr-xr-x 1 [my username] users 961 2005-11-07 19:09 ssh-block.sh
The cron job entry: */1 * * * * /home/[my username]/cronjobs/ssh-block.sh
If I ls -l on /etc/hosts.deny, I can see that the file is indeed being recreated every time the script runs, based on the time stamp.
If I su to root and run it manually, it runs fine as far as I can tell - nothing is echoed to the screen, there are no error messages, and I'm returned to the prompt after a few seconds.
I did notice the script was grepping for "Illegal user" and the log entries actually say "Invalid user", so I changed that in the script...still no IP addresses listed in /etc/hosts.deny, though. I'm nowhere near enough of a regex expert to be able to tell if the script is actually looking for the pattern it's supposed to be finding.
First off ... my apologies to Dan for the multiple posts. <Insert lame excuse here> Here are my entries and they are indeed working as expected. Cron: * * * * * /root/bin/ssh_deny they above named file (watch for wrapped lines): #!/bin/bash LAST_IP=0.0.0.0 COUNT=1 # Set MAXCOUNT to the maximum failures allowed before blacklisting MAXCOUNT=5 # # The three lines below put the leading lines in /etc/hosts.allow # Note: This script overwrites the entire /etc/hosts.allow file. # echo ' # /etc/hosts.deny # See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow # for a detailed description. http-rman : ALL EXCEPT LOCAL' > /etc/hosts.deny # # Scan the /var/log/messages file for failed login attempts via ssh. # Parse out the IP address, and count the failure occurances from that IP # If the IP fails more than 5 times - deny further access # for IP in `/bin/grep sshd /var/log/messages | /bin/grep "Invalid user" | /bin/sed 's/^.*from :*[a-z]*://'` 0.0.0.0; do if [ ${LAST_IP} == ${IP} ]; then let COUNT=${COUNT}+1 else if [ ${COUNT} -ge ${MAXCOUNT} ]; then echo "ALL: ${LAST_IP}/32" >> /etc/hosts.deny fi LAST_IP=${IP} COUNT=1 fi done -- Louis Richards
On Monday 07 November 2005 6:04 pm, Dan Abernathy wrote:
I did notice the script was grepping for "Illegal user" and the log entries actually say "Invalid user", so I changed that in the script...still no IP addresses listed in /etc/hosts.deny, though. I'm nowhere near enough of a regex expert to be able to tell if the script is actually looking for the pattern it's supposed to be finding.
Well, login_sentry has been doing the job nicely for me, maybe give it or one of the others suggested in this thread a try. http://www.lumiere.net/~j/login_sentry/ Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.9-default x86_64 SuSE Linux 9.3 (x86-64)
participants (3)
-
Dan Abernathy -
Louis Richards -
Scott Leighton