# IPTables SSHD scan/ban script?

## Qwertys

So I was working on a script to block ip addresses based on numerous login attempts to ssh. the idea is to add invalid_sshd_run to cron and have it run every 10 mins or so. i am working on updating the script to see if an IP is already in iptables and to set a BAN timer to set how long the IP will be banned. tell me what you think:

```

# invalid_sshd_ban

if [ $# -gt 1 ]

then

while [ $# -gt 1 ]

do

if [ $1 -gt 3 ]

then

echo "Banning $2 for $1 offenses"

iptables -A SSHD-JAIL -p tcp --syn -j DROP -s $1

shift

shift

fi

done

fi

# invalid_sshd_run

./invalid_sshd_ban `tail -n 30 /var/log/sshd/current | grep 'Invalid user' | awk '{print $9}' | uniq -c`

```

----------

## Herring42

You might be better off writing to hosts.deny.

Your IP chain will be checked (possibly) for every ssh packet, while you could leave the rejection to the ssh server.

----------

## jh294

 *Herring42 wrote:*   

> You might be better off writing to hosts.deny..

 

An interesting thought.  However my preference would be to drop all packets from the host.  The idea behind that is, if the system is probing for SSH defficiencies, it most likely will be looking for other vulnerabilities.  Better error on the side of caution and just drop everything from that particular source.

----------

## Herring42

 *Quote:*   

> An interesting thought. However my preference would be to drop all packets from the host. The idea behind that is, if the system is probing for SSH defficiencies, it most likely will be looking for other vulnerabilities. Better error on the side of caution and just drop everything from that particular source.

 

I thought that, then I realised that it would then be easy for an attacker to spoof the source address, and thus cause a denial of service.

They would have to realise what I was doing, mind.

----------

## Rad

There's also real proxy servers and infected machines acting as proxies, and other bad stuff (not even talking about providers and IPv6 addresses...) -> real ips, and LOTS of them you potentially need to ban and filter in case of an attack.

Better rely on ssh (it was built for just those hostile internet conditions, after all), and use a long passphrase or even key only authentication -the dumb script kiddie "attacks" you probably get will NEVER succeed. Or maybe use a port knocking daemon.

Banning however is either ineffective or not such a good idea.

----------

## Qwertys

I was just thinking of some way to stop the annoying attacks. and perhaps it would put who ever is doing this and take him out of the idea to try these attempts.

my ssh is very tight, a 10+ Alphanumeric password with special characters, ect. but its just annoying to see all these attempts in the log.

i was just thinking it would be a good method to try.

that AND i was going to change the script to remove an address after a period of time depending on the number of attacks that have happened during the last update. so the idea is to stop all attacks from a particular address at the time of the attack, and then remove the ban after a safe time has passed. this whould work because it seems each attack occurs from a different ip every time.

----------

## Rad

You're wrong. Most likely it's a bunch of script kiddies using the same scanning tools with the same simple dictionnaries. Or a worm. Anyways, it won't really help to ban, the best thing you can do is to use a port knocking daemon.

A port knocking daemon will listen for right sequence to be sent to a certain location, and will only then open a port on the firewall or start up sshd or something.

These login attempts sometimes don't occur if your ports show as closed, and they definitely won't be logged by sshd anymore. Which may help to make you happy.  :Cool: 

----------

## Lejban

If I'd like to ban every IP that tries to login more than three time with noexistent usernames (or root) or wrong password? 

What approach should I use?

----------

## corley

well i thought about doing something like this too, but after awhile i have noticed that i would be banning litterally hundres of full class C ... sometimes even high address ranges. It's just pointless. There are so many misconfigured systems out there.. just makes it easy for hackers to do what they want.

What would be cool tho is to grab those force login attempts, and automatically do whois on them etc.. find out the isp and send emails automatically to let them know they have compromised systems on their network.  :Wink:  should be a really easy bash script or something to make for this. Maybe if I get some time this week I will throw one together and post it.

----------

## Jazz

Cool, how do i modify the above script to ban users for 10 mins who attampt to login many times to my FTP, continously ?

also, how should i go about with it ?

Thanx,

BYe,

Jazz

----------

## plut0

You could use the QUEUE target to send the packets to userspace and right a program to evaluate the packets.

iptables -A INPUT -p tcp --dport 22 -j QUEUE

#!/usr/bin/perl

If (num_logins > 5) && (Time < 10 mins)

  ban (ip)

Else

  pass (ip)

This might be a lot of work but you can do almost anything with the packets in userspace.

----------

## bigfunkymo

This could be abused by someone spoofing the source address to do an exceedingly easy denial of service attack against you.

might be a better idea to move to public key authentication instead of passwords and disallow password logins

----------

## corley

I found this site tonight. This seems to be an excellent script and nice resource.

http://www.pettingers.org/code/SSHBlack.html

----------

## SweepingOar

Is there a preferred portknock program for the sshd that gentoo uses?  Thanks.

----------

## gstrock

port knock program is here, got it from a similar

thread in this forum:

http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki

> emerge knock

There's a daemon and a client.

Uses iptables.

----------

