Archive for November, 2009

SSH brute-force combat script

November 28, 2009
#!/bin/sh
# rc.turkey
# http://twitter.com/kokikode

# File "/etc/hosts.rogues" will be applied to "/etc/hosts.allow" as an exception, like this sample.
# ALL: 127.0.0.1/32
# ALL: 192.168.0.0/24
# sshd: ALL EXCEPT /etc/hosts.rogues

# Then don't forget to configure the file "/etc/hosts.deny" like this.
# ALL: ALL

hosts_rogues() {
grep $rawline /etc/hosts.rogues > /dev/null 2>&1
if [ "$?" -ne "0" ]; then
   echo "$rawline/32" >> /etc/hosts.rogues
fi
}

# Additional commands if needed.
# /sbin/iptables -A FORWARD -j DROP -s $rawline
# /sbin/iptables -A FORWARD -j DROP -d $rawline
# /sbin/iptables -A OUTPUT -j DROP -d $rawline

resist_attack() {
/sbin/iptables -L -v -n | grep $rawline > /dev/null 2>&1
if [ "$?" -ne "0" ]; then
   /sbin/iptables -A INPUT -j DROP -s $rawline
   /sbin/iptables -A INPUT -j DROP -d $rawline
fi
}

route_to_blackhole() {
/bin/ip route list type blackhole | grep $rawline > /dev/null 2>&1 
if [ "$?" -ne "0" ]; then
   /bin/ip route add blackhole $rawline
fi
}

echo `date` > /var/log/lastlog.turkey

# Please add the rules in IPTables-based firewall as one of the requirements to run this script, such as the following example.
# iptables -A INPUT -j ACCEPT -p tcp --dport 22 --syn -m state --state NEW -m limit --limit 1/m --limit-burst 1
# iptables -A INPUT -j LOG -p tcp --dport 22 --syn -m --state NEW --log-level debug
# iptables -A INPUT -j DROP -p tcp --dport 22 --syn -m state --state NEW

cat /var/log/debug | grep "IN=eth1" | grep "DPT=22" | cut -f5 -d= | sed 's/DST//g' | sort -u | while read rawline; do
   if [ -n "$rawline" ]; then
      cat /var/log/auth.log | grep "sshd" | grep "Invalid user" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hosts_rogues
         resist_attack
         route_to_blackhole
      fi
      rm /tmp/$rawline
      cat /var/log/auth.log | grep "sshd" | grep "Failed password" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hitcount=$(grep -c $rawline /tmp/$rawline)
         if [ $hitcount -gt 2 ]; then
            hosts_rogues
            resist_attack
            route_to_blackhole
         fi
      fi
      rm /tmp/$rawline
      cat /var/log/auth.log | grep "sshd" | grep "POSSIBLE BREAK-IN ATTEMPT" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hosts_rogues
         resist_attack
         route_to_blackhole
      fi
      rm /tmp/$rawline
   fi
done

exit 0

I put this script in crontab and run every 5 minutes.

How to disable IPv6 in Ubuntu

November 26, 2009

According to the network experts, that by disabling IPv6 impact on internet connection speed. Following as examples of how to disable IPv6 in Ubuntu.

  1. Please login as “root” or equivalent.
  2. Modify the contents of the configuration files in “/etc/modprobe/aliases“.
  3. Find rows that contain these “alias net-pf-10 ipv6“.
  4. Replace the contents of these lines to be like this “alias net-pf-10 off ipv6“.
  5. Save and Reboot.
  6. Please check with the command “netstat -ln” which is usually when IPv6 is still active will appear in column [Proto] as “tcp6“, “udp6” and so on according to protocol enabled. if it does not appear that you do the configuration is done.