Re: [tlug] dropping any IP that tries port 22?

[scott <scott@example.com>]

On Fri, 2007-01-19 at 14:28 +0900, Birkir A. Barkarson wrote:

> Nice idea, although I have on occasion forgot to put the -p <non 
> standard port> on the ssh command line before trying to connect. 

Yeah I know what you mean. I was on vacation a while back and couldn't
login to my server as none of the public Internet access points would
allow me install a knock client- at least now I've got squirrel mail up
so I can check my mail :-)

>On Fri, 2007-01-19 at 16:56 +0900, Stephen J. Turnbull wrote:
>iptables -I INPUT 1 -d yo.ur.i.p --proto tcp --dport 22 --syn -j LOG

>(You then need to use position 1 for the bans, otherwise the same
>script kiddie gets banned a couple thousand times.)

This is a great idea. I'm not familiar with what position 1 is so I've
gotta do some more reading...

I've been using shorewall to manage Iptables and it defaults all of the
drop logs to ulogd. So I did this and got a nice list of IPs of ssh
attempts (please forgive my ugly code):

tac /var/log/ulogd/ulogd.syslogemu | grep 'DPT=22' | awk {'print $9'} |
sort | uniq | cut -c 5-19 > /var/log/sshattemptssorted.txt

so now I have this list, but wc -l shows there are 2,537 IPs there, so I
have to install ipsets into shorewall to handle this large blacklist. I
think after that is done I can start automating this by cron maybe, have
a script that scans the ulog for ssh attempts, compares the IPs to the
existing sshattemptessorted.txt and if it isn't there automatically adds
it to the list and the shorewall blacklist. Or maybe there is a simpler
way? 

Cheers,
Scott VanDusen
Tokyo