pavement

Block repeated illegal or failed SSH logins

From FreeBSDwiki
Revision as of 17:49, 22 May 2009 by 220.34.48.75 (Talk)
Jump to: navigation, search

Contents

Introduction

We're starting to see a rash of password guessing attacks via SSH on exposed BSD servers which are running the SSH daemon. These login attempts are coming from multiple addresses, which makes some people suspect that they're being carried out by a network of "bots" rather than a single attacker.

Limiting SSH login sessions

In your sshd_config file the following settings can also help slow down such attacks.

  • LoginGraceTime
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.
  • MaxStartups
Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values "start:rate:full" (e.g.,"10:30:60"). sshd will refuse connection attempts with a probability of "rate/100" (30%) if there are currently "start" (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches "full" (60).

Firewall repeated illegal or failed SSH logins attempts

To firewall failed login attemps, a simple script that will scan the log file for illegal or failed attempts and firewall repeated IP's will do the trick. It will slow down and stop a brute force dictionary login attack.

Using the examples below you can create a file called sshd-fwscan.sh, then use cron to run the file every x minutes and it will automatically firewall the IP once it detects 5 or more failed login attempts.

/etc/syslog.conf

You need an auth.* line in your syslog.conf file in order to log all authentications.

auth.*                                          /var/log/auth.log

Using IPFW

sshd-fwscan.sh

#!/bin/sh
if ipfw show | awk '{print $1}' | grep -q 20000 ; then
        ipfw delete 20000
fi
# This catches repeated attempts for both legal and illegal users
# No check for duplicate entries is performed, since the rule
# has been deleted.
awk '/sshd/ && (/Invalid user/ || /authentication error/) {try[$(NF)]++}
END {for (h in try) if (try[h] > 5) print h}' /var/log/auth.log |
while read ip
do
        ipfw -q add 20000 deny tcp from $ip to any in
done

Note: To make sure IP's expire we delete and add rule 20000 of the firewall each time, thus if the IP's are no longer duplicates in the auth.log they are no longer firewalled.

Using IPF

sshd-fwscan.sh

#!/bin/sh
IFS='
'
for rules in `ipfstat -i | grep "group 20000"` ; do
       echo "$rules" | ipf -r -f -
done
for ips in `cat /var/log/auth.log | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
       echo "block in quick from $ips to any group 20000" | ipf -f -
done
cat /var/log/auth.log | grep sshd | grep "Failed" | rev  | cut -d\  -f 4 | rev | sort | uniq -c | \
( while read num ips; do
   if [ $num -gt 5 ]; then
        if ! ipfstat -i | grep $ips ; then
               echo "block in quick from $ips to an
Personal tools