My firewall get alot of failed ssh logins.
This is a typical log message in /var/log/authlog
Feb 9 20:15:49 pedro sshd[30934]: Failed password for root from 67.205.85.119 port 35603 ssh2 Feb 9 20:15:49 pedro sshd[2656]: Received disconnect from 67.205.85.119: 11: Bye Bye Feb 9 20:15:51 pedro sshd[15299]: Failed password for root from 67.205.85.119 port 35753 ssh2 Feb 9 20:15:51 pedro sshd[15791]: Received disconnect from 67.205.85.119: 11: Bye Bye Feb 9 20:15:53 pedro sshd[9043]: Failed password for root from 67.205.85.119 port 35882 ssh2 Feb 9 20:15:53 pedro sshd[31484]: Received disconnect from 67.205.85.119: 11: Bye Bye Feb 9 20:15:54 pedro sshd[27717]: Failed password for root from 67.205.85.119 port 36030 ssh2 Feb 9 20:15:55 pedro sshd[30185]: Received disconnect from 67.205.85.119: 11: Bye Bye Feb 9 20:15:56 pedro sshd[27718]: Failed password for root from 67.205.85.119 port 36164 ssh2 Feb 9 20:15:56 pedro sshd[28005]: Received disconnect from 67.205.85.119: 11: Bye Bye Feb 9 20:15:58 pedro sshd[30648]: Failed password for root from 67.205.85.119 port 36314 ssh2 Feb 9 20:15:58 pedro sshd[21087]: Received disconnect from 67.205.85.119: 11: Bye Bye
Of course this is a script kiddie that tries to break into my firewall just because it answers on port 22 and it is annoying. One way of make it a little harder to break in is by let the packetfilter drop all packages that comes from an ip-address that did this.
This one way of doing it.
Create a pf blacklist /etc/pf.conf
–snipp–
table <ssh_blacklist> persist file "/var/pf/ssh_blacklist" ...
block in quick log on $ext_if from <ssh_blacklist> to any
–snipp–
Create a script that detects failed ssh breakin attempts and updates the blacklist
root@pedro:/var/log# cat /root/scripts/blockbadssh.sh
#!/bin/sh
logger "Check for bad ssh behavior"
PATH=/bin:/usr/bin
BL=/var/pf/ssh_blacklist
TEMPFILE=$(mktemp /tmp/bl_XXXXXX) || exit 1
TEMPFILE2=$(mktemp /tmp/bl2_XXXXXX) || exit 1
#cp $BL $TEMPFILE
grep "Invalid user" /var/log/authlog | awk '{print $10}' | sort | uniq > $TEMPFILE2
grep "Failed password for invalid" /var/log/authlog | awk '{print $13}' | sort | uniq >> $TEMPFILE2
grep "Failed password for root" /var/log/authlog | awk '{print $11}' | sort | uniq >> $TEMPFILE2
sort $TEMPFILE2 |uniq > $TEMPFILE
#echo "Nu är TEMPFILE"
#cat $TEMPFILE
#cat $BL >> $TEMPFILE
for i in `cat $TEMPFILE`
do
grep $i $BL>/dev/null
if [ "$?" == "1" ]
then
logger "Added $i to ssh-blacklist"
echo "Added $i to ssh-blacklist"
fi
done
cat $BL >> $TEMPFILE
sort $TEMPFILE | uniq > $BL
rm $TEMPFILE
rm $TEMPFILE2
/sbin/pfctl -t ssh_blacklist -Treplace -f $BL 2>&1 | grep -v "no changes"
Make it run every minute
root@pedro:/var/log# crontab -l
* * * * * /root/scripts/blockbadssh.sh
I know this is a dirty way of doing it and it is a good idea to have another pf rule that accept traffic from well known hosts so you do not get blocked because you failed a login.
Leave a Reply
You must be logged in to post a comment.
