[UFO Chicago] Tripwire to shut off ssh access to a host?

Mon Nov 13 19:19:46 PST 2006

--- Nate Riffe <inkblot at movealong.org> wrote:

> Jordan Bettis said this (probably recently):
> > ISTR a program that uses netfilter to automatically
> > block hosts that fail login to ssh x number of
> 
> It's not a "program," it's just these four rules, the
> second of which

Clever.  I'll have to look at that.

I use a slightly different approach that parses the ssh
logs.  Basically, I've a Perl script that reads
/var/log/auth.log (adjust for local conditions), and scans
for certain invalid entries.  There's a *LOT* of ways to do
this, but here's what I run at startup:

perl -MFile::Tail  -e '$|++; '             \
  -e '$file=File::Tail->new(name=>"/var/log/auth.log",
interval=>1, maxinterval=>10, tail=>10 ); ' \
  -e 'while(defined($line=$file->read)) {  ' \
  -e '    next unless ($u, $h) =
$line=~/(?:Illegal|Invalid) user (\w+) from (\S+)/; ' \
  -e '    print scalar localtime,": $u $h\n";'  \
  -e '    if ($u =~/^(admin|sales|tomcat)/) {
system("/sbin/iptables -I INPUT 1 -s $h -j DROP") }' \
  -e '} ' > /var/log/OSD.pipe &

Yes, it can be done in shell.  Yes, it can be done
differently.  I don't care, since this works for me.

The script watches the log file, and if it finds a failed
login (line 4), it prints the time, username, and host.  If
the username matches one of three accounts used only by
attackers, they are blackholed via iptables.

The redirect at the very end is to a FIFO.  That fifo is
read by the root-tail program (called at user login), and
printed on the root window of my X session.

--
Jesse Becker
GPG-fingerprint:  BD00 7AA4 4483 AFCC 82D0  2720 0083 0931 9A2B 06A2

____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com