Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Hubert Feyrer <hubert@feyrer.de>
From: Rhialto <rhialto@falu.nl>
List: tech-net
Date: 01/13/2007 04:37:29
On Fri 12 Jan 2007 at 13:58:24 +0100, Hubert Feyrer wrote:
> On Fri, 12 Jan 2007, David Sheryn wrote:
> >http://fail2ban.sourceforge.net/ or similar ? (not tried it myself)  Any
> >other suggestions ?
> 
> See "Fighting ssh password guessing attempts (Update #2)" at 
> http://www.feyrer.de/NetBSD/blog.html/nb_20060107_2016.html

I wonder if this kind of thing can't be done with a PAM module? It would
be much more efficient than tail-ing a logfile.

I am running a slightly changed version of the above script: I also look
for the pattern "Illegal user .* from" to block and my "block in" filter
rules are in "group 200" which others might not have.

#!/bin/sh

# Block unauthorised login attempts using only system tools
# Inspired by Hubert Freyer's 'challenge' to write a script that just used
# tail to do the work
# (c) Ian Spray and Hubert Fyerer, 2006

# Use it for what you will: no restrictions, and no warranty

TAIL=/usr/bin/tail
SED=/usr/bin/sed
IPF=/sbin/ipf
CMD_PERM='/usr/bin/tee -a /etc/ipf.conf | '
LOG_FILE='/var/log/authlog'

# uncomment the following line if you want bans to be temporary
# CMD_PERM=''

${TAIL} -F ${LOG_FILE} | while read LOG_LINE
do
	echo "${LOG_LINE}" \
	| ${SED} -n \
		-e '/127\.0\.0\.1/d' \
		-e '/192\.168\.0\./d' \
		-e '/10\.0\./d' \
		-e 's/.*Failed password .* from \([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\).*/block in log quick from \1.\2.\3.\4 to any group 200/p' \
		-e 's/.*Illegal user .* from \([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\).*/block in log quick from \1.\2.\3.\4 to any group 200/p' \
	| /usr/bin/tee -a /etc/ipf.conf | ${IPF} -A -f -
	# | ${CMD_PERM} ${IPF} -A -f -
done

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert      -- You author it, and I'll reader it.
\X/ rhialto/at/xs4all.nl        -- Cetero censeo "authored" delendum esse.