Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Hubert Feyrer <hubert@feyrer.de>
From: Rhialto <rhialto@falu.nl>
List: tech-net
Date: 01/13/2007 04:37:29
On Fri 12 Jan 2007 at 13:58:24 +0100, Hubert Feyrer wrote:
> On Fri, 12 Jan 2007, David Sheryn wrote:
> >http://fail2ban.sourceforge.net/ or similar ? (not tried it myself) Any
> >other suggestions ?
>
> See "Fighting ssh password guessing attempts (Update #2)" at
> http://www.feyrer.de/NetBSD/blog.html/nb_20060107_2016.html
I wonder if this kind of thing can't be done with a PAM module? It would
be much more efficient than tail-ing a logfile.
I am running a slightly changed version of the above script: I also look
for the pattern "Illegal user .* from" to block and my "block in" filter
rules are in "group 200" which others might not have.
#!/bin/sh
# Block unauthorised login attempts using only system tools
# Inspired by Hubert Freyer's 'challenge' to write a script that just used
# tail to do the work
# (c) Ian Spray and Hubert Fyerer, 2006
# Use it for what you will: no restrictions, and no warranty
TAIL=/usr/bin/tail
SED=/usr/bin/sed
IPF=/sbin/ipf
CMD_PERM='/usr/bin/tee -a /etc/ipf.conf | '
LOG_FILE='/var/log/authlog'
# uncomment the following line if you want bans to be temporary
# CMD_PERM=''
${TAIL} -F ${LOG_FILE} | while read LOG_LINE
do
echo "${LOG_LINE}" \
| ${SED} -n \
-e '/127\.0\.0\.1/d' \
-e '/192\.168\.0\./d' \
-e '/10\.0\./d' \
-e 's/.*Failed password .* from \([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\).*/block in log quick from \1.\2.\3.\4 to any group 200/p' \
-e 's/.*Illegal user .* from \([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\).*/block in log quick from \1.\2.\3.\4 to any group 200/p' \
| /usr/bin/tee -a /etc/ipf.conf | ${IPF} -A -f -
# | ${CMD_PERM} ${IPF} -A -f -
done
-Olaf.
--
___ Olaf 'Rhialto' Seibert -- You author it, and I'll reader it.
\X/ rhialto/at/xs4all.nl -- Cetero censeo "authored" delendum esse.