On Monday 07 November 2005 07:52 pm, Dan Abernathy wrote:
Hello all
I notice several automated break-in attempts appearing in /var/log/messages regarding sshd. A small sample:
Nov 7 14:34:10 d8400 sshd[18607]: Invalid user a from 71.129.198.189 Nov 7 14:34:11 d8400 sshd[18609]: Invalid user aaron from 71.129.198.189
Hundreds of entries like the above, working their way through every English letter using common first names, also names of services like Apache.
I ran across this Novell Cool Solutions article: http://www.novell.com/coolsolutions/trench/16341.html
It describes the use of a shell script, run once per minute using a cron job, that parses information from /var/log/messages and adds offending IP addresses to /etc/hosts.deny.
I saved the script as ssh-block.sh in my home folder, in a subdirectory named cronjobs. I used su to become root and ran crontab -e, and added the script to run once per minute.
Entries in /var/log/messages confirm that the shell script is indeed being run every minute, but the contents of /etc/hosts.deny hasn't changed at all, despite the presence of failed sshd log-ins (also written to /var/log/messages).
Can someone knowledgeable about shell scripts take a look at the URL above and see if there is a problem with the script? If not, what did I do incorrectly? What's the proper way to run this job regularly? I assume it must be run as root, both to read /var/log/messages and to write to /etc/hosts.deny.
Dan
BTW, why not put ssh on a high port (line 12017) and be done with it...? No script-kiddies will find it there or at least it would take them a very long time. Solves a lot of problems at no overhead... unlike running a script every minute. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 11/07/05 20:39 + +----------------------------------------------------------------------------+ "The bible shows the way to go to heaven, not the way the heavens go." - Galileo