I wrote this script to thwart the brute force ssh hackers. It isn't
the most efficient but it works. it blocks their ip using iptables. I
run it every min via cron #!/usr/bin/perl ###vars $lines=5000; #lines to tail $pos=10; #count lines that are positive to kick ip $lp=$lines+1000; $log=`tail -n $lp /var/log/secure | grep 'Failed password' | tail -n $lines`; @nage = split (/\n/,$log); foreach $ip (@nage) { $ip=~ /(\d*\.\d*\.\d*\.\d*)/; push @ips,$1; } @ips_1=@ips; @ips_2=@ips; #gets a unique ip list foreach $snip (@ips) { $n=0; $t=0; while (@ips_1[$n]) { if ($snip == $ips_1[$n]) { if ($t==0) { #print "$snip==$ips_1[$n]\n"; $move=0; foreach $cnip (@sips) { if ($snip==$cnip) { $move++; } } if ($move==0) { push @sips, $snip; } $t++; } } $n++; } } #takes the unique list and counts against the full ip list $nn=0; foreach $nip (@sips) { $m=0; $n=0; while (@ips_2[$n]) { if ($nip==@ips_2[$n]) {$m++;} $n++; } if ($pos<$m) { if ($nn==0) { $cur=`/sbin/iptables -L -n`; } if ($cur!~/$nip/) {`/sbin/iptables -t filter -I INPUT -s $nip -j DROP`;} } } Gerald wrote: good suggestion.. I limited the users and restricted root. does anyone know how to change the defualt "login as:" banner to something else? Gerald On 12/26/05, Mail List <lists@xxxxxxxxxxxx> wrote:On Monday 26 December 2005 00:24, Gerald wrote:It looks like i'm getting a dictionary attack on my system. I moved ssh to another port instead of 22 in hopes that would put a halt to itYou probably don't want to advertise the port you chose either as per your mail. You may also wish to set: PermitRootLogin no AllowUsers gerald other1 other2 etc (i.e. limit to users you care about with known strong passwords or keys only as someone else suggested). DUmb question - did you service sshd restart to make sure your changes were picked up? \g/ -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list-- -Gerald |