SSH brute-force combat script

November 28, 2009
#!/bin/sh
# rc.turkey
# http://twitter.com/kokikode

# File "/etc/hosts.rogues" will be applied to "/etc/hosts.allow" as an exception, like this sample.
# ALL: 127.0.0.1/32
# ALL: 192.168.0.0/24
# sshd: ALL EXCEPT /etc/hosts.rogues

# Then don't forget to configure the file "/etc/hosts.deny" like this.
# ALL: ALL

hosts_rogues() {
grep $rawline /etc/hosts.rogues > /dev/null 2>&1
if [ "$?" -ne "0" ]; then
   echo "$rawline/32" >> /etc/hosts.rogues
fi
}

# Additional commands if needed.
# /sbin/iptables -A FORWARD -j DROP -s $rawline
# /sbin/iptables -A FORWARD -j DROP -d $rawline
# /sbin/iptables -A OUTPUT -j DROP -d $rawline

resist_attack() {
/sbin/iptables -L -v -n | grep $rawline > /dev/null 2>&1
if [ "$?" -ne "0" ]; then
   /sbin/iptables -A INPUT -j DROP -s $rawline
   /sbin/iptables -A INPUT -j DROP -d $rawline
fi
}

route_to_blackhole() {
/bin/ip route list type blackhole | grep $rawline > /dev/null 2>&1 
if [ "$?" -ne "0" ]; then
   /bin/ip route add blackhole $rawline
fi
}

echo `date` > /var/log/lastlog.turkey

# Please add the rules in IPTables-based firewall as one of the requirements to run this script, such as the following example.
# iptables -A INPUT -j ACCEPT -p tcp --dport 22 --syn -m state --state NEW -m limit --limit 1/m --limit-burst 1
# iptables -A INPUT -j LOG -p tcp --dport 22 --syn -m --state NEW --log-level debug
# iptables -A INPUT -j DROP -p tcp --dport 22 --syn -m state --state NEW

cat /var/log/debug | grep "IN=eth1" | grep "DPT=22" | cut -f5 -d= | sed 's/DST//g' | sort -u | while read rawline; do
   if [ -n "$rawline" ]; then
      cat /var/log/auth.log | grep "sshd" | grep "Invalid user" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hosts_rogues
         resist_attack
         route_to_blackhole
      fi
      rm /tmp/$rawline
      cat /var/log/auth.log | grep "sshd" | grep "Failed password" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hitcount=$(grep -c $rawline /tmp/$rawline)
         if [ $hitcount -gt 2 ]; then
            hosts_rogues
            resist_attack
            route_to_blackhole
         fi
      fi
      rm /tmp/$rawline
      cat /var/log/auth.log | grep "sshd" | grep "POSSIBLE BREAK-IN ATTEMPT" | grep $rawline > /tmp/$rawline
      if [ -s /tmp/$rawline ]; then
         hosts_rogues
         resist_attack
         route_to_blackhole
      fi
      rm /tmp/$rawline
   fi
done

exit 0

I put this script in crontab and run every 5 minutes.

Advertisements

3 Responses to “SSH brute-force combat script”

  1. Nuller Says:

    Greate template. Thank you, I will share it in my site


  2. Excellent post..Keep them coming 🙂 Thanks for sharing.


  3. Thank you a lot for sharing this with all folks you actually
    recognize what you’re talking approximately! Bookmarked. Please also seek advice from my web site =). We can have a link alternate arrangement among us


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: