Re: ssh security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I wrote this script to thwart the brute force ssh hackers.  It isn't the most efficient but it works. it blocks their ip using iptables. I run it every min via cron



#!/usr/bin/perl

###vars

$lines=5000; #lines to tail
$pos=10; #count lines that are positive to kick ip
$lp=$lines+1000;


$log=`tail -n $lp /var/log/secure | grep 'Failed password' | tail -n $lines`;


@nage = split (/\n/,$log);
foreach $ip (@nage) {
        $ip=~ /(\d*\.\d*\.\d*\.\d*)/;
        push @ips,$1;
}

@ips_1=@ips;
@ips_2=@ips;

#gets a unique ip list
foreach $snip (@ips) {
        $n=0;
        $t=0;
        while (@ips_1[$n]) {
                if ($snip == $ips_1[$n]) {
                        if ($t==0) { #print "$snip==$ips_1[$n]\n";
                                $move=0;
                                foreach $cnip (@sips) {
                                        if ($snip==$cnip) {
                                                $move++;
                                        }
                                }
                                if ($move==0) {
                                        push @sips, $snip;
                                }
                                $t++;
                        }
                }
                $n++;
        }
}


#takes the unique list and counts against the full ip list
$nn=0;
foreach $nip (@sips) {
        $m=0;
        $n=0;
        while (@ips_2[$n]) {
                if ($nip==@ips_2[$n]) {$m++;}
                $n++;
        }
        if ($pos<$m) {
                if ($nn==0) {
                        $cur=`/sbin/iptables -L -n`;
                }
                if ($cur!~/$nip/) {`/sbin/iptables -t filter -I INPUT -s $nip -j DROP`;}
        }
}

Gerald wrote: 
good suggestion.. I limited the users and restricted root.

does anyone know how to change the defualt "login as:" banner to something else?

Gerald

On 12/26/05, Mail List <lists@xxxxxxxxxxxx> wrote:
  
On Monday 26 December 2005 00:24, Gerald wrote:
    
It looks like i'm getting a dictionary attack on my system. I moved
ssh to another port instead of 22 in hopes that would put a halt to it
      
  You probably don't want to advertise the port you chose either as per your
mail.

   You may also wish to set:

     PermitRootLogin no
     AllowUsers gerald other1 other2 etc

  (i.e. limit to users you care about with known strong passwords or keys only
as someone else suggested).

  DUmb question - did you service sshd restart to make sure your changes were
picked up?

 \g/

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

    


--
-Gerald
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux