SSH dictionary attacks are a big problem. I posted earlier a script that will scan the logs and block IP addresses that attempt many logins. (ssh_complain)
However SSHDFilter is a script that watches the logs live and immediatly blocks IP addresses as soon as they attempt one illegal username or too many failed passwords on legal users.
I have written a script, which is intended to be run from cron every few minutes, which will block hosts that try dictionary attacks on your unix server. You will need to tweak this for your own use.
The script sends an email to the network administrator, then adds the ip address to /etc/hosts.deny.
It works for me, but your mileage may vary. Uses: mutt, ntpstat and the whois service at whois.deadbeef.com
This is three scripts.
auto_send_ssh_complaints: Scans log files for attacks, and invokes the proper script to send the email.
#!/bin/sh
# Fill in your own whitelisted hosts here
whitelist="127.0.0.1 1.2.3.4 `host home.example.com | sed -e 's/[^0-9]*//'`"
sed -e '/sshd\[[0-9]*\]: Failed password/!d' \
-e 's/.*Failed password for.*from //' \
-e 's/ port.*//' /var/log/secure | sort | uniq -c | \
while read info
do
set -- $info
count=$1
host=$2
whitelisted=0
host=`echo $host | sed -e 's/::ffff://'`
number_of_usernames=`sed -e '/sshd\[[0-9]*\]: Failed password.*from '$host'/!d' -e 's/.*Failed password for //' -e 's/ from .*//' /var/log/secure | sort -u | wc -l`
for white in $whitelist ; do
if [ "$white" = "$host" ] ; then
whitelisted=1
fi
done
if [ "$whitelisted" = "1" ] ; then
echo "$count attempts from WHITELISTED $host"
elif grep -q "ALL:$host" /etc/hosts.deny ; then
: #echo "$host is blacklisted"
else
#echo "$count attempts from $host"
#host $host
if [ "$count" -gt "14" -o "$number_of_usernames" -gt "4" ] ; then
/root/bin/ssh_complain $host
else
: #echo "WARNING: $host is not blacklisted"
fi
fi
done
sed -e '/vsftpd(pam_unix)\[[0-9]*\]: authentication failure/!d' \
-e 's/.*rhost=.*from //' \
-e 's/ user=.*//' /var/log/messages | sort | uniq -c | \
while read info
do
set -- $info
count=$1
host=$2
whitelisted=0
for white in $whitelist ; do
if [ "$white" = "$host" ] ; then
whitelisted=1
fi
done
if [ "$whitelisted" = "1" ] ; then
echo "$count attempts from WHITELISTED $host"
elif grep -q "ALL:$host" /etc/hosts.deny ; then
: #echo "$host is blacklisted"
else
#echo "$count attempts from $host"
#host $host
if [ "$count" -gt "25" ] ; then
/root/bin/ftp_complain $host
else
: #echo "WARNING: $host is not blacklisted"
fi
fi
done
ftp_complain: Sends email about ftp attacks.
#!/bin/sh
while [ "$1" != "" ] ; do
ipaddr=$1
shift
echo "Sending FTP complaint on $ipaddr"
echo "Getting email addresses"
emails="`whois "$ipaddr@whois.deadbeef.com" | awk '/^[^\[]/ {print $1}'`"
echo "Getting logs"
fgrep "$ipaddr" /var/log/secure* /var/log/messages* >$ipaddr.txt
echo "Getting count"
count=`grep 'vsftpd.*authentication failure.*rhost='"$ipaddr" /var/log/messages* | wc -l | sed 's/ *//'`
echo "Count=$count"
if [ "$emails" = "" ] ; then
echo "No email addresses"
else
echo "Sending email"
cat <<EOF | mutt -a $ipaddr.txt -s "Excessive FTP attempts from $ipaddr" $emails root@example.com
My host server.example.com (1.2.3.4) has received roughly $count
attempts to login via the FTP protocol from your host at $ipaddr. I have
attached the relevant portions of my logfiles. All times are in CST/CDT.
`ntpstat`
Thank you for your understanding.
admin@example.com
EOF
fi
if grep "^ALL:$ipaddr\$" /etc/hosts.deny ; then
echo "Already in blocked list"
else
echo "Adding $ipaddr to blocked list"
echo "ALL:$ipaddr" >>/etc/hosts.deny
fi
done
ssh_complain: Sends email about ssh attacks
#!/bin/sh
cd /tmp
while [ "$1" != "" ] ; do
ipaddr=$1
shift
echo "Sending SSH complaint on $ipaddr"
echo "Getting email addresses"
emails="`whois "$ipaddr@whois.deadbeef.com" | awk '/^[^\[]/ {print $1}'`"
echo "Getting logs"
fgrep "$ipaddr" /var/log/secure* /var/log/messages* >$ipaddr.txt
echo "Getting count"
count=`grep 'Failed password for.*from '"$ipaddr"'.*ssh2' /var/log/secure* | wc -l | sed 's/ *//'`
echo "Count=$count"
if [ "$emails" = "" ] ; then
echo "No email addresses"
else
echo "Sending email"
cat <<EOF | mutt -a $ipaddr.txt -s "Excessive SSH attempts from $ipaddr" $emails root@example.com
My host server.example.com (1.2.3.4) has received roughly $count
attempts to login via the SSH protocol from your host at $ipaddr. I have
attached the relevant portions of my logfiles. All times are in CST/CDT.
`ntpstat`
Thank you for your understanding.
admin@example.com
EOF
fi
if grep "^ALL:$ipaddr\$" /etc/hosts.deny ; then
echo "Already in blocked list"
else
echo "Adding $ipaddr to blocked list"
echo "ALL:$ipaddr" >>/etc/hosts.deny
fi
done