From owner-freebsd-security@FreeBSD.ORG Wed Oct 5 16:27:15 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5B1B16A41F for ; Wed, 5 Oct 2005 16:27:15 +0000 (GMT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3669243D48 for ; Wed, 5 Oct 2005 16:27:15 +0000 (GMT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.13.4/8.13.4) with ESMTP id j95GR5Ei053518; Wed, 5 Oct 2005 09:27:05 -0700 (PDT) Received: (from dillon@localhost) by apollo.backplane.com (8.13.4/8.13.4/Submit) id j95GQuVa053513; Wed, 5 Oct 2005 09:26:56 -0700 (PDT) Date: Wed, 5 Oct 2005 09:26:56 -0700 (PDT) From: Matthew Dillon Message-Id: <200510051626.j95GQuVa053513@apollo.backplane.com> To: Garrett Wollman References: <6.2.3.4.2.20051002153930.07a50528@localhost> <20051003145046.A30969@plexi.pun-pun.prv> <43410F51.5010607@rinux.net> <17217.24789.489670.458355@khavrinen.csail.mit.edu> Cc: Clemens Renner , freebsd-security@freebsd.org Subject: Re: Repeated attacks via SSH X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 16:27:15 -0000 It annoys me to no end so this is what I do: /etc/syslog.conf: auth.info;authpriv.info |exec /root/adm/sshlockout And then I wrote a little program to add a rule to the firewall (you want to modify it to add after any of your optimized flow-through rules because long chains can occur). I clean out the rule (2100 in my case) about once a week so the list doesn't get too big. Of course, if you have a lot of users they might trip over this occassionaly themselves, it's designed for administrative machines and servers, not general shell boxes. YMMV. Most of the attacks appear to come from compromised windows boxes... probably the same BOT networks that spammers use to send spam. -Matt /* * Use: pipe syslog auth output to this program. * * Detects failed ssh login attempts and maps out the originating IP. */ #include #include #include #include #include #include int main(int ac, char **av) { char buf[1024]; char *str; int n1; int n2; int n3; int n4; openlog("sshlockout", LOG_PID|LOG_CONS, LOG_AUTH); syslog(LOG_ERR, "sshlockout starting up"); freopen("/dev/null", "w", stdout); freopen("/dev/null", "w", stderr); while (fgets(buf, sizeof(buf), stdin) != NULL) { if (strstr(buf, "sshd") == NULL) continue; if (strstr(buf, "Failed password") == NULL) continue; if ((str = strstr(buf, "Failed password for root from")) != NULL || (str = strstr(buf, "Failed password for admin from")) != NULL ) { while (*str && (*str < '0' || *str > '9')) ++str; if (sscanf(str, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) { syslog(LOG_ERR, "Detected ssh password login attempt for root, locking out %d.%d.%d.%d\n", n1, n2, n3, n4); snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4); system(buf); } continue; } if ((str = strstr(buf, "Failed password for invalid user")) != NULL) { str += 32; while (*str == ' ') ++str; while (*str && *str != ' ') ++str; if (strncmp(str, " from", 5) == 0 && sscanf(str + 5, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) { syslog(LOG_ERR, "Detected ssh password login attempt for an invalid user, locking out %d.%d.%d.%d\n", n1, n2, n3, n4); snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4); system(buf); } } } syslog(LOG_ERR, "sshlockout exiting"); return(0); }