Date: Sun, 18 Dec 2005 23:38:32 +0800 (CST) From: Jui-Nan Lin <jnlin@csie.nctu.edu.tw> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/90603: [NEW PORT] security/sshit: Checks for SSH/FTP bruteforce and blocks given IPs Message-ID: <20051218153832.C3BDEF9@Seattle.tamama.org> Resent-Message-ID: <200512181540.jBIFe2we042398@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 90603 >Category: ports >Synopsis: [NEW PORT] security/sshit: Checks for SSH/FTP bruteforce and blocks given IPs >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Dec 18 15:40:02 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Jui-Nan Lin >Release: FreeBSD 5.4-STABLE i386 >Organization: >Environment: System: FreeBSD Seattle.tamama.org 5.4-STABLE FreeBSD 5.4-STABLE #3: Thu Nov 17 16:14:12 CST 2005 >Description: sshit is a perl script, which works along with ipfw, ipfw2, and pf. It parses the output of syslogd, find out SSH/FTP bruteforce attacks. If the number of failed login is more than a threshold that administarator set, sshit will block the source IP via firewall for a while (administrators can set the period of blocking). WWW: http://anp.ath.cx/sshit/ Generated with FreeBSD Port Tools 0.63 >How-To-Repeat: >Fix: --- sshit-0.5.shar begins here --- # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # sshit # sshit/files # sshit/files/pkg-message.in # sshit/Makefile # sshit/distinfo # sshit/pkg-descr # sshit/pkg-plist # echo c - sshit mkdir -p sshit > /dev/null 2>&1 echo c - sshit/files mkdir -p sshit/files > /dev/null 2>&1 echo x - sshit/files/pkg-message.in sed 's/^X//' >sshit/files/pkg-message.in << 'END-of-sshit/files/pkg-message.in' X===> CONFIGURATION NOTE: X X Configuration of sshit is done via main configuration file X located at %%PREFIX%%/etc/sshit.conf X X To run the script, add a line in /etc/syslog.conf: X Xauth.info;authpriv.info |exec %%PREFIX%%/sbin/sshit X X and restart syslogd. X X If you want to use pf as the firewall, you should add a table and the X corresponding deny rule. For example, X (In /etc/pf.conf) X Xtable <badhosts> persist Xblock on $extdev from <badhosts> to any X X and reload the pf rules. X X If you want to use ipfw2 (with table) as the firewall, you should add a X table and the corresponding deny rule. For example, X X# ipfw add deny ip from table(0) to any END-of-sshit/files/pkg-message.in echo x - sshit/Makefile sed 's/^X//' >sshit/Makefile << 'END-of-sshit/Makefile' X# New ports collection makefile for: sshit X# Date created: 18 December 2005 X# Whom: Jui-Nan Lin <jnlin@csie.nctu.edu.tw> X# X# $FreeBSD$ X# X XPORTNAME= sshit XPORTVERSION= 0.5 XCATEGORIES= security XMASTER_SITES= http://anp.ath.cx/sshit/ \ X ${MASTER_SITE_LOCAL} X XMAINTAINER= jnlin@csie.nctu.edu.tw XCOMMENT= Checks for SSH/FTP bruteforce and blocks given IPs X XRUN_DEPENDS= ${SITE_PERL}/${PERL_ARCH}/Unix/Syslog.pm:${PORTSDIR}/sysutils/p5-Unix-Syslog \ X ${SITE_PERL}/IPC/Shareable.pm:${PORTSDIR}/devel/p5-IPC-Shareable \ X ${SITE_PERL}/Proc/PID/File.pm:${PORTSDIR}/devel/p5-Proc-PID-File X XNO_BUILD= yes XUSE_PERL5_RUN= yes X XWRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} XPKGMESSAGE= ${WRKDIR}/pkg-message XSUB_FILES= pkg-message X X.include <bsd.port.pre.mk> X X.if ${PERL_LEVEL} < 500600 XIGNORE= Perl 5.6 or newer required. Install lang/perl5 or lang/perl5.8 and try again. X.endif X Xdo-install: X ${INSTALL_SCRIPT} ${WRKSRC}/${PORTNAME}.pl ${PREFIX}/sbin/${PORTNAME} X ${INSTALL_DATA} ${WRKSRC}/${PORTNAME}.conf ${PREFIX}/etc/${PORTNAME}.conf-dist X Xpost-install: X @if [ ! -f ${PREFIX}/etc/${PORTNAME}.conf ]; then \ X ${CP} -p ${PREFIX}/etc/${PORTNAME}.conf-dist ${PREFIX}/etc/${PORTNAME}.conf ; \ X fi X.if !defined(BATCH) X @${CAT} ${PKGMESSAGE} X.endif X X.include <bsd.port.post.mk> END-of-sshit/Makefile echo x - sshit/distinfo sed 's/^X//' >sshit/distinfo << 'END-of-sshit/distinfo' XMD5 (sshit-0.5.tar.gz) = 1b3f40e08a10919820eb5ecbfa3bc34b XSHA256 (sshit-0.5.tar.gz) = eb65e94820fbfbd75d8227de9cd7f42b8b497c1bfac350fbb9d4ef51d85b442d XSIZE (sshit-0.5.tar.gz) = 4065 END-of-sshit/distinfo echo x - sshit/pkg-descr sed 's/^X//' >sshit/pkg-descr << 'END-of-sshit/pkg-descr' Xsshit is a perl script, which works along with ipfw, ipfw2, and pf. XIt parses the output of syslogd, find out SSH/FTP bruteforce attacks. XIf the number of failed login is more than a threshold that administarator Xset, sshit will block the source IP via firewall for a while X(administrators can set the period of blocking). X XWWW: http://anp.ath.cx/sshit/ END-of-sshit/pkg-descr echo x - sshit/pkg-plist sed 's/^X//' >sshit/pkg-plist << 'END-of-sshit/pkg-plist' X@unexec if cmp -s %D/etc/sshit.conf %D/etc/sshit.conf-dist; then rm -f %D/etc/sshit.conf; fi Xetc/sshit.conf-dist X@exec if [ ! -f %D/etc/sshit.conf ] ; then cp -p %D/%F %B/sshit.conf; fi Xsbin/sshit END-of-sshit/pkg-plist exit --- sshit-0.5.shar ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051218153832.C3BDEF9>