Repeated attacks via SSH

Matthew Dillon dillon at apollo.backplane.com
Wed Oct 5 09:27:15 PDT 2005 

It annoys me to no end so this is what I do:

/etc/syslog.conf:

    auth.info;authpriv.info		|exec /root/adm/sshlockout

And then I wrote a little program to add a rule to the firewall (you want
to modify it to add after any of your optimized flow-through rules because
long chains can occur).

I clean out the rule (2100 in my case) about once a week so the list doesn't 
get too big.

Of course, if you have a lot of users they might trip over this occassionaly
themselves, it's designed for administrative machines and servers, not 
general shell boxes.  YMMV.

Most of the attacks appear to come from compromised windows boxes... 
probably the same BOT networks that spammers use to send spam.

						-Matt


/*
 * Use: pipe syslog auth output to this program.
 *
 * Detects failed ssh login attempts and maps out the originating IP.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdarg.h>
#include <syslog.h>

int
main(int ac, char **av)
{
    char buf[1024];
    char *str;
    int n1;
    int n2;
    int n3;
    int n4;

    openlog("sshlockout", LOG_PID|LOG_CONS, LOG_AUTH);
    syslog(LOG_ERR, "sshlockout starting up");
    freopen("/dev/null", "w", stdout);
    freopen("/dev/null", "w", stderr);

    while (fgets(buf, sizeof(buf), stdin) != NULL) {
	if (strstr(buf, "sshd") == NULL)
	    continue;
	if (strstr(buf, "Failed password") == NULL)
	    continue;
	if ((str = strstr(buf, "Failed password for root from")) != NULL ||
	    (str = strstr(buf, "Failed password for admin from")) != NULL
	) {
	    while (*str && (*str < '0' || *str > '9'))
		++str;
	    if (sscanf(str, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) {
		syslog(LOG_ERR, "Detected ssh password login attempt for root, locking out %d.%d.%d.%d\n", n1, n2, n3, n4);
		snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4);
		system(buf);
	    }
	    continue;
	}
	if ((str = strstr(buf, "Failed password for invalid user")) != NULL) {
	    str += 32;
	    while (*str == ' ')
		++str;
	    while (*str && *str != ' ')
		++str;
	    if (strncmp(str, " from", 5) == 0 &&
		sscanf(str + 5, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) {
		syslog(LOG_ERR, "Detected ssh password login attempt for an invalid user, locking out %d.%d.%d.%d\n", n1, n2, n3, n4);
		snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4);
		system(buf);
	    }
	}
    }
    syslog(LOG_ERR, "sshlockout exiting");
    return(0);
}

More information about the freebsd-security mailing list