User:RichardJune/Scripts/ssh failed
From ImageStream Router Documentation
(Difference between revisions)
RichardJune (Talk | contribs) |
RichardJune (Talk | contribs) |
||
| Line 2: | Line 2: | ||
# This script is meant to be run once an hour. It will index failed login attempts from | # This script is meant to be run once an hour. It will index failed login attempts from | ||
# the previous hour. After BADCOUNT attempts, it will drop all traffic from that IP | # the previous hour. After BADCOUNT attempts, it will drop all traffic from that IP | ||
| - | # address via the | + | # address via the ssh_failed chain. To make your router actually filter traffic based on |
| - | # this script, use "iptables --append INPUT --jump | + | # this script, use "iptables --append INPUT --jump ssh_failed" in your firewall script. |
# BLOCKPOINTS is the score (or failed attempts) required before an address is blocked. | # BLOCKPOINTS is the score (or failed attempts) required before an address is blocked. | ||
# POINTLOSS is how many points are forgiven each time this script runs. | # POINTLOSS is how many points are forgiven each time this script runs. | ||
| Line 12: | Line 12: | ||
# It is used to specify search information, etc. | # It is used to specify search information, etc. | ||
LOGFILE="/var/log/syslog*" | LOGFILE="/var/log/syslog*" | ||
| - | CHAINNAME=" | + | CHAINNAME="ssh_failed" |
BLOCKDIR="/tmp/${CHAINNAME}" | BLOCKDIR="/tmp/${CHAINNAME}" | ||
MONTH="$(date +%b)" | MONTH="$(date +%b)" | ||
Revision as of 18:04, 14 April 2008
#!/bin/bash
# This script is meant to be run once an hour. It will index failed login attempts from
# the previous hour. After BADCOUNT attempts, it will drop all traffic from that IP
# address via the ssh_failed chain. To make your router actually filter traffic based on
# this script, use "iptables --append INPUT --jump ssh_failed" in your firewall script.
# BLOCKPOINTS is the score (or failed attempts) required before an address is blocked.
# POINTLOSS is how many points are forgiven each time this script runs.
BLOCKPOINTS="10"
POINTLOSS="2"
# This stuff is not really user modifiable.
# It is used to specify search information, etc.
LOGFILE="/var/log/syslog*"
CHAINNAME="ssh_failed"
BLOCKDIR="/tmp/${CHAINNAME}"
MONTH="$(date +%b)"
DAY="$(date +%e)"
HOUR="$(date +%H)"
DAYSEARCH="$MONTH $DAY"
HOURSEARCH="$MONTH $DAY $(dc $HOUR 1 -)"
mkdir -p ${BLOCKDIR}
iptables --new ${CHAINNAME} >/dev/null 2>&1
#iptables --flush ${CHAINNAME}
# First remove two points from the score of each IP each time this script runs.
# If the score reaches zero, unblock the addres.
CWD="$(pwd)"
cd ${BLOCKDIR}
ls * > /dev/null 2>&1
if [ $? -eq 0 ] ; then
for ip in * ; do
count="$(cat ${ip})"
if [ $count -gt 0 ] ; then
let count=count-${POINTLOSS}
if [ ${count} -lt 0 ] ; then
count=0
fi
if [ ${count} -eq 0 ] ; then
echo "traffic now allowed from sshd: "$ip
iptables --delete ${CHAINNAME} --jump DROP --source ${ip} >/dev/null 2>&1
fi
echo ${count} > ${ip}
fi
done
fi
# Next get a list of IP addresses that attempted to login with an invalid username
INVALID_USER_IP="$(grep "${HOURSEARCH}" ${LOGFILE} | grep "Failed password for invalid user" |awk '{print $13}')"
# Next get a list of IP addresses that failed to login as root
ROOT_IP="$(grep "${HOURSEARCH}" ${LOGFILE} | grep "Failed password for root" |awk '{print $11}')"
# Count the number of addresses and keep score. If the score gets above BLOCKPOINTS, shut it down.
for ip in ${ROOT_IP} ${INVALID_USER_IP} ; do
if [ ! -e "${BLOCKDIR}/${ip}" ] ; then
echo 0 > ${BLOCKDIR}/${ip}
fi
count="$(cat ${BLOCKDIR}/${ip})"
let count++
echo ${count} > ${BLOCKDIR}/${ip}
if [ ${count} -eq ${BLOCKPOINTS} ] ; then
echo "banned from sshd: "$ip
iptables --append ${CHAINNAME} --jump DROP --source ${ip} > /dev/null 2>&1
fi
done
