From: Bruce S. <bw...@ar...> - 2005-10-07 13:37:42
|
I personally handle the bots that do SSH dictionary attacks differently. I block the SSH port for a period of time after receiving a number of connections on port 22 within a certain period of time. The advantage of this way is it's _completely_ written in iptables. No external daemon/cron/program is required! Plus you don't have to rely on a port scan to trigger it (not all SSH bots port scan first). The disadvantage is it cannot tell the difference between a successful login and an unsuccessful login, but that's rarely a problem, since I don't normally login and logout frequently. Let me know if you're interested, and I'll post it. BTW, an easier way to foil the SSH login bots, is to simply run SSH on a high port since the bots only scan port 22. :-) - BS > I been furiously hacking Serge Leschinsky's dyn_firewall script that he > posted last week. I wanted to add a feature where it blocked ssh for a > while - 1 hr -if a port scan was detected. The idea is that commonly > attackers do a portscan a shortly before their login attempts - in my > limited experience 6..53 mins can elapse. I thought allowing a short > interval - 3 minutes - after the port scan for a successful login would > still permit legitimate scanners to not be blocked. > > Anyway it seems to work (very limited testing) - if nothing else it > reduces the clutter in syslog as there are no failed login attempts with > all their associated messages: > > Oct 7 00:23:07 sshd[1126]: Did not receive identification string from > 194.143.150.172 > Oct 7 00:26:57 dynfw: 194.143.150.172 was blocked > Oct 7 01:27:57 dynfw: 194.143.150.172 was unblocked > > In order to achieve this I've put the sshd message filter capability > entirely in the script rather than burdening syslog-ng with it. You'll > need to modify syslog-ng.conf if you want to use it. I've also added a > timer, mostly to implement the time limits for the port scan block, but > also so unblocking does not have to wait for the next failed login attempt. > > Other things I've done are: > > 1) to put the trusted nets list into a separate file (mynets.cfg) so > it's not necessary to edit the script for them and to place all the > configuration variables together at the top of the script. This file > contains a list, one per line, of cidr notation nets. > > 2) added debug message capability which can be enabled/disabled > on-the-fly. Also added the ability to block/unblock addresses by > command. Mostly for debugging. > > 3) added loads of comments, changed some names and done some cosmetic > updates. > > Apart from all that the script is much the same. I've called it dynfw > (it replaces fire-pipe.pl) and I offer it to the list. > > Dick |