################## ssh brute force attack blocker # This sec ruleset monitors syslog messages for indications that an ssh brute-force # login attack is underway. The trigger is an ssh login failure. # # If 4 additional syslog messages about ssh login failures from the same # source address are received within next 1 minute, an iptables firewall # rule is added to block access from the source IP. # # After that, the correlation operation waits until no ssh login failure # syslog messages from the source IP have been received from the router # during the last 2 hours, and then the iptables rule is removed. By # definition, once the IP is blocked, there will be no more connection # attempt failures logged by ssh (ie., packets will be dropped by the kernel # before they reach the syslog daemon), so the rule will be flushed after # 2 hours. # # Vulnerabilities of this ruleset are: # DoS attack: if the attacker is aware of this ruleset, they could # spoof a series of victim IP addresses (for example, the # AOL proxy address), thus causing the server running sec # to deny service to the victim. # # persistent firewall rules: # if the sec daemon crashes or is restarted, any existing rules # will not be removed after 2hours # # window=60 # sliding window (1 minute) for initial event match # thresh=4 # number of events (ssh login failures from a given IP) that must # # occur within the window period in order to trigger the action # # window2=7200 # sliding window (2 hours) for the second event match # thresh2=0 ############### # RCSversion="$Header: /home/bergman/RCS/ssh_block.sec,v 1.3 2006/05/02 04:18:44 bergman Exp bergman $" # # Representative log file entries: # Aug 28 04:43:03 10.1.1.18 sshd(pam_unix)[22344]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.ace.ne.jp # Aug 28 04:43:03 host sshd[22568]: Failed password for illegal user library from 210.230.187.218 port 55019 ssh2 # Aug 28 04:42:28 www.somehost.net sshd[9395]: Failed password for illegal user mysql from 210.230.187.218 port 52857 ssh2 # Aug 28 04:42:28 host sshd[22509]: Failed password for root from 210.230.187.218 port 52960 ssh2 # Aug 28 04:42:32 www.somehost.net sshd[9397]: Failed password for illegal user oracle from 210.230.187.218 port 53212 ssh2 # Aug 28 04:42:32 host sshd[22510]: Failed password for illegal user admin from 2 10.230.187.218 port 53243 ssh2 # type=SingleWith2Thresholds ptype=RegExp pattern=sshd.*: authentication failure[ ;].* rhost=(\S+) desc=Multiple failed ssh authentication attempts from $1 action=logonly ; shellcmd ( /usr/local/sbin/ipt-add -I FORWARD -s $1 -p tcp --dport 22 -j DROP ; /usr/local/sbin/ipt-add -I INPUT -s $1 -p tcp --dport 22 -j DROP ) window=60 thresh=4 desc2=Pruning iptables firewall rule blocking ssh from $1 action2=logonly ; shellcmd ( /sbin/iptables -D FORWARD -s $1 -p tcp --dport 22 -j DROP ; /sbin/iptables -D INPUT -s $1 -p tcp --dport 22 -j DROP ) window2=7200 thresh2=0 type=SingleWith2Thresholds ptype=RegExp pattern=sshd.*: Failed password for.* user .* from (\S+) desc=Multiple ssh password failures from $1 action=logonly ; shellcmd ( /usr/local/sbin/ipt-add -I FORWARD -s $1 -p tcp --dport 22 -j DROP ; /usr/local/sbin/ipt-add -I INPUT -s $1 -p tcp --dport 22 -j DROP ) window=60 thresh=4 desc2=Pruning iptables firewall rule blocking ssh from $1 action2=logonly ; shellcmd ( /sbin/iptables -D FORWARD -s $1 -p tcp --dport 22 -j DROP ; sleep 2; /sbin/iptables -D INPUT -s $1 -p tcp --dport 22 -j DROP ; sleep 2) window2=7200 thresh2=0