royong
25-03-2007, 10:16
Disclaimer :: While I take precaution to avoid any unnecessary errata, the reader is advised to perform his / her own backups. I accept no warranties, expressed or implied, with regards to any malfunction, damage, loss, deletion, removal etc. of any form, nor shall I be liable for any damages.
Many a times, we are left with a situation where we need to leave the SSH daemon running but understand the fact that we maybe leaving the server vulnerable to ssh brute-force attempts. The following is a little script that has been written in anticipation of such attempts - it will look into the log files, search and find all the authentication failure attempts and then add their corresponding IPs to a deny statement in iptables.
PS - This script presumes that you do NOT have any existing entries/rules in your IPtables that need to be preserved. Please make necessary adjustments to the script if preservation of existing IPtables rules are required. Else give me a shout and I'll see what I do.
Login to the server and as root, perform the following
Create the required directory and the appropriate file name
# mkdir /root/ip-block-port-22
# cd /root/ip-block-port-22
# vi block.sh
Cut and paste the following into the vi screen that you have started above.
#!/bin/bash
IPTABLES=/sbin/iptables
SOURCEFILE=/var/log/messages
SOURCEDIR=/root/ip-block-port-22
BADIPFILE=$SOURCEDIR/badip
GOODIPFILE=$SOURCEDIR/goodip
cat $SOURCEFILE | grep sshd | grep "authentication failure" | cut -f13 -d" " | cut -c 7- | sort -u >> $BADIPFILE
sort -u $BADIPFILE -o $BADIPFILE
BADIP=`cat $BADIPFILE`
GOODIP=`cat $GOODIPFILE`
$IPTABLES -F
$IPTABLES -Z
for IP in $GOODIP
do
$IPTABLES -A INPUT -s $IP -j ACCEPT
done
for IP in $BADIP
do
$IPTABLES -A INPUT -s $IP -j DROP
done
Once complete, save and exit from the vi screen using ":wq"
Next, create the appropriate file permissions to make the file executable
# chmod +x /root/ip-block-port-22/block.sh
Create the cron (scheduled task) so that the script will be called up every 30 minutes. You can adjust this as per your requirement.
# crontab -e
*/30 * * * * /root/ip-block-port-22/block.sh
Create the BADIP file to allow the script to store all the offending IPs
# touch /root/ip-block-port-22/badip
Create the GOODIP file to ensure that ALL IPs in this file WILL BE ALLOWED into the server, regardless if they have committed authentication failures that are logged into the log files. This is a failsafe feature just in case you commit an authentication failure and find yourself locked out from the server. Place all the GOOD IPs in this file, one entry per line.
# vi /root/ip-block-port-22/goodip
123.123.123.111
123.123.123.222
Finally, run the script for the first time
# /root/ip-block-port-22/block.sh
Check your new iptables entries - notice how 123.123.123.111 and 123.123.123.222 are added to the list at the very top with ACCEPT statements
# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 123.123.123.111 0.0.0.0/0
ACCEPT all -- 123.123.123.222 0.0.0.0/0
DROP all -- 124.136.196.66 0.0.0.0/0
DROP all -- 124.2.56.237 0.0.0.0/0
DROP all -- 125.215.184.42 0.0.0.0/0
DROP all -- 125.247.251.4 0.0.0.0/0
DROP all -- 202.101.47.51 0.0.0.0/0
DROP all -- 202.102.124.206 0.0.0.0/0
DROP all -- 202.104.12.213 0.0.0.0/0
DROP all -- 202.110.187.197 0.0.0.0/0
<snip>
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Once test, leave it running, knowing that new offending IPs will be added every 30 minutes.
Many a times, we are left with a situation where we need to leave the SSH daemon running but understand the fact that we maybe leaving the server vulnerable to ssh brute-force attempts. The following is a little script that has been written in anticipation of such attempts - it will look into the log files, search and find all the authentication failure attempts and then add their corresponding IPs to a deny statement in iptables.
PS - This script presumes that you do NOT have any existing entries/rules in your IPtables that need to be preserved. Please make necessary adjustments to the script if preservation of existing IPtables rules are required. Else give me a shout and I'll see what I do.
Login to the server and as root, perform the following
Create the required directory and the appropriate file name
# mkdir /root/ip-block-port-22
# cd /root/ip-block-port-22
# vi block.sh
Cut and paste the following into the vi screen that you have started above.
#!/bin/bash
IPTABLES=/sbin/iptables
SOURCEFILE=/var/log/messages
SOURCEDIR=/root/ip-block-port-22
BADIPFILE=$SOURCEDIR/badip
GOODIPFILE=$SOURCEDIR/goodip
cat $SOURCEFILE | grep sshd | grep "authentication failure" | cut -f13 -d" " | cut -c 7- | sort -u >> $BADIPFILE
sort -u $BADIPFILE -o $BADIPFILE
BADIP=`cat $BADIPFILE`
GOODIP=`cat $GOODIPFILE`
$IPTABLES -F
$IPTABLES -Z
for IP in $GOODIP
do
$IPTABLES -A INPUT -s $IP -j ACCEPT
done
for IP in $BADIP
do
$IPTABLES -A INPUT -s $IP -j DROP
done
Once complete, save and exit from the vi screen using ":wq"
Next, create the appropriate file permissions to make the file executable
# chmod +x /root/ip-block-port-22/block.sh
Create the cron (scheduled task) so that the script will be called up every 30 minutes. You can adjust this as per your requirement.
# crontab -e
*/30 * * * * /root/ip-block-port-22/block.sh
Create the BADIP file to allow the script to store all the offending IPs
# touch /root/ip-block-port-22/badip
Create the GOODIP file to ensure that ALL IPs in this file WILL BE ALLOWED into the server, regardless if they have committed authentication failures that are logged into the log files. This is a failsafe feature just in case you commit an authentication failure and find yourself locked out from the server. Place all the GOOD IPs in this file, one entry per line.
# vi /root/ip-block-port-22/goodip
123.123.123.111
123.123.123.222
Finally, run the script for the first time
# /root/ip-block-port-22/block.sh
Check your new iptables entries - notice how 123.123.123.111 and 123.123.123.222 are added to the list at the very top with ACCEPT statements
# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 123.123.123.111 0.0.0.0/0
ACCEPT all -- 123.123.123.222 0.0.0.0/0
DROP all -- 124.136.196.66 0.0.0.0/0
DROP all -- 124.2.56.237 0.0.0.0/0
DROP all -- 125.215.184.42 0.0.0.0/0
DROP all -- 125.247.251.4 0.0.0.0/0
DROP all -- 202.101.47.51 0.0.0.0/0
DROP all -- 202.102.124.206 0.0.0.0/0
DROP all -- 202.104.12.213 0.0.0.0/0
DROP all -- 202.110.187.197 0.0.0.0/0
<snip>
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Once test, leave it running, knowing that new offending IPs will be added every 30 minutes.