# tired of pounding on SSH, script to block with shorewall...

## papasan

i got tired fo reading my logcheck logs with 100s of hack attempts so i wrote a little script parse 'auth.log' and output hack attempts to shorewall's blacklist file.  this _will_ overwrite the default blacklist file and i haven't taken it far enough to allow for any perm bans (the log file changes daily, so the ban lifts at 3am when the logs rotate on my box) but i find it very useful.  i have a cronjob running this every 30 minutes.  let me know what you think.

```
#!/bin/bash

OUTPUT="/etc/shorewall/blacklist"   #output file

LOGFILE="/var/log/auth.log"  #logfile to parse

PERMBAN="/etc/shorewall/blacklist.perm" #perm blacklist file

POSTSCRIPT="shorewall refresh"  #command to run after script is done

THRESHOLD=5 #number of times to trigger inclusion in output

PERMS=600  #permissions to set on the output

# generate temp full list...

echo -n > $OUTPUT.tmp

for Z in $(grep "Failed password for root" $LOGFILE |awk '{print $11}'); do

  echo "$Z" >> $OUTPUT.tmp

done

for Z in $(grep -e "Illegal user" -e "Invalid user" $LOGFILE |awk '{print $10}'); do

  echo "$Z" >> $OUTPUT.tmp

done

cat $OUTPUT.tmp |sed -e 's/::ffff://g' > $OUTPUT.tmp

# cut it down to size and add anciliary stuff...

echo "#GENERATED $(date)" > $OUTPUT

for Z in $(cat $OUTPUT.tmp |sort -u); do

  if [ "$(grep "$Z" $OUTPUT.tmp |wc -l)" -ge "$THRESHOLD" ]; then

    echo "$Z" >> $OUTPUT

  fi

done

echo >> $OUTPUT

cat $PERMBAN >> $OUTPUT

echo "#EOF" >> $OUTPUT

# clean up...

rm -f $OUTPUT.tmp

chmod $PERMS $OUTPUT

# run post-script...

$POSTSCRIPT &> /dev/null

if [[ $? != 0 ]]; then

  echo "Error performing postscript ($POSTSCRIPT)."

  exit 1

fi

exit 0

#EOF
```

Last edited by papasan on Mon Aug 01, 2005 9:56 pm; edited 6 times in total

----------

## nobspangle

It's a good idea, one other solution is to change the port that your sshd is running on.

----------

## papasan

 *nobspangle wrote:*   

> It's a good idea, one other solution is to change the port that your sshd is running on.

 

i've done this long ago, although 1022 which it's running on now is prolly the second-most SSHD port out there.

----------

## madchaz

Nice litle script. 

I get about 50 attempts a day on port 22 on my firewall too. Nothing there but stealth, but still gets anoying. I actualy turned the monitoring off on that port, just too many idiots trying it to see if they can get a shell acces.

----------

## detz

yeah, i installed shorewall yesterday and already I see so many people try to use my server...

I wrote some perl scripts to parse the logs and put all DENY/ACCPET's into a MySQL database and I have a web program that shows me everything.  I plan to take it further and have it recommend what IPs I band and stuff like that.  shorewall is pretty good though

----------

## papasan

changed the script somewhat to add permissions changing, perminate blacklist file and to accomidate changes to the way ssh is logging to my auth.log file (using 'Invalid user' now instead-of/as-well-as 'Illegal user')

----------

## magic919

sshblack does all this and a bit more.  www.pettingers.org

----------

## EmmEff

Is there a way to have a script update an access list on a Linksys WRT54G router?  I'd rather do this than run iptables on a host behind the existing router firewall.

----------

## papasan

 *magic919 wrote:*   

> sshblack does all this and a bit more.  www.pettingers.org

 

nice perl script, it's over 250 lines tho! wow...too bad i don't know perl, i'll stick with my small bash script.  looks like the sshblack script doesn't have an expiration either, hope he never blocks himself by mistake...

 *EmmEff wrote:*   

> Is there a way to have a script update an access list on a Linksys WRT54G router?  I'd rather do this than run iptables on a host behind the existing router firewall.

 

EmmEff, if you want to send me a WRT54G i would be happy to test it =).

** edit ** changed the script slightly, the quotes around the $THRESHOLD variable were thowing the count logic off.

----------

## bitwise

what happens if someone spoofs the ip of your DNS or something, and attacks you? I'm no network guru, but I know a lot of these auto blacklist scripts have the problem of blocking valid ips due to spoofed attackers. The obvious fix is a whitelist of 'never block' ips.

----------

## magic919

The script looks for port 22 stuff.  It wouldn't matter if my DNS IP did get blocked as that uses port 53.  I'll leave aside the fact my DNS is inside my firewall, for the sake of discussion.

Given that the SSHD authentication would take more than just incoming packets to trigger the script I don't think any spoofing would be effective.

Pettingers script uses a whitelist for the local netwrok and you can add to that.  Or bypass the iptables for certain addresses.

----------

## bitwise

 *magic919 wrote:*   

> The script looks for port 22 stuff.  It wouldn't matter if my DNS IP did get blocked as that uses port 53.  I'll leave aside the fact my DNS is inside my firewall, for the sake of discussion.

 It doesn't appear to me that it only looks for port 22, it just looks to see an invalid login attempt, and blocks the ip. Sure, that connection would be only comming in over the ssh port, but once you block the ip, the port doesn't really matter. Or is there somewhere in there that the port is being specified as well? *Quote:*   

> Given that the SSHD authentication would take more than just incoming packets to trigger the script I don't think any spoofing would be effective.

 I don't really know the ins and outs of ssh, so your probably right. I was just curious as to what I mentioned would really be a problem or not.

----------

## magic919

I guess you need to look at this in the context of the system in question.  Do you have other open ports with daemons that will log to /var/log/secure and what kind of failure messages are there?  How is your IPTables firewall constructed?  It would be entirely possible to blacklist an IP and thus stop it reaching the machine through any port.

With SSHBlack it's a question of where the Blacklist chain occurs in the firewall config.  Anything explicitly allowed above this line will get through and anything below will not be reached by a blacklisted IP.

I'd say it's safe unless your Internet subnet can be compromised.  They would have to send packets as if from another IP and also be able to sniff the network to reply to outgoing packets destined for that spoofed IP.  All this is possible but very unlikely.

Somebody could set a load of bots off to make SSH attempts and overwhelm SSHBlack in some kind of DoS attempt.  I think Pettinger built in something for that too.

It's an interesting topic albeit a potentially complex one.

----------

## kurtb

This looks like a good fit for setting up port knocking.

----------

## adsmith

there's also "fail2ban", which provides a nice ebuild to add to your overlay.

----------

## vaguy02

I use snort and snortsam to block brute force, but I think it's alot harder to do than the ideas you were suggesting. Just a thought.

----------

