Re: [tlug] Blocking bad sshd bruteforce attempt

[Joe Larabell <fred62@???>]

> Jul 11 07:02:05 aoclife sshd[24861]: Illegal user sysadmin from 202.158.162.53
>
> ...
>
> I remember that someone in TLUG has posted a ruby (?) script to the
> list but I couldn't find the post in the archives.

I have a simple but effective filter on my home machine. I added the
following lines to /etc/syslog-ng/syslog-ng.conf to send the offending
messages to my detection script:

  filter f_anticrack { match("Invalid user"); };
  destination d_anticrack { program("/root/bin/crackDetect"); };
  log { source(src); filter(f_anticrack); destination(d_anticrack); };

[Note: I run syslog-ng. I would assume that any relatively modern syslog
daemon would have the ability to send select log messages to a program.]

The target of the syslog filter is a script (if you're really paranoid,
you should re-write this in a compiled language instead of a perl script):

  #!/usr/bin/perl

  use Sys::Syslog;

  my( %db ) = ( );
  my( %zz ) = ( );

  system( "iptables -F SHITLIST" ); # clear SHITLIST when program starts

  openlog( "scanDetect", "", "USER" );

  while ( <> )
  {
      if ( /Invalid user (\S+) from (\S+)/ )
      {
          my( $src ) = $2;
          my( $dpt ) = $1;

          $db{ $src } = { } unless ( exists $db{ $src } );

          $db{ $src }->{ $dpt } = 1 unless ( exists $db{ $src }->{ $dpt } );

          if ( scalar( keys %{ $db{ $src } } ) > 3 )
          {
              unless ( exists $zz{ $src } )
              {
                  syslog( "WARNING", "==> Hack attempt from %s\n", $src );

                  system( "iptables -A SHITLIST -s $src -j DROP" );

                  $zz{ $src } = 1;
              }
          }
      }
  }

The upshot is that after a given miscreant, identified by his IP address,
tries knocking on three different non-existant addresses, he gets added
into a chain called 'SHITLIST' (which you will have to create beforehand).

My iptables script then does the following:

  iptables -A INPUT -j SHITLIST

very early in the chain. Essentially, every packet coming into the machine
goes through this list and hack attempts earn one the hacker his very own
place on the list. From his point-of-view, the machine disappears (script
kiddies probably go off thinking they've crashed the machine ;-).

It works fine for me. When I review the log, I often see a short burst of
hack attempts (mostly 'a' usernames, since the list they use seems to be
alphabetical) followed by silence.

I use pretty much the same scheme (syslog->filter->iptables) to screen out
port scanners. For that, you have to also add dropped packet logging to
your iptables script but it's worth is.

I know... having a script running as root accessing programs through
'system' is not very secure. But I'm the only one who is supposed to be on
the machine so I don't have to worry as much about hacking by local users.

You also may notice that after a couple months, sites such as webshots
apparently stop working. When that happens, it's probably time to clean
out the SHITLIST chain. Seems some of the hacking traffic comes from IP
addresses that belong to webshots.com ;-)...

---
Joseph L (Joe) Larabell            Never fight with a dragon
http://larabell.org                     for thou art crunchy
                                  and goest well with cheese.