ports/90603: [NEW PORT] security/sshit: Checks for SSH/FTP bruteforce and blocks given IPs
Jui-Nan Lin
jnlin at csie.nctu.edu.tw
Sun Dec 18 15:40:04 UTC 2005
>Number: 90603
>Category: ports
>Synopsis: [NEW PORT] security/sshit: Checks for SSH/FTP bruteforce and blocks given IPs
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Dec 18 15:40:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Jui-Nan Lin
>Release: FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD Seattle.tamama.org 5.4-STABLE FreeBSD 5.4-STABLE #3: Thu Nov 17 16:14:12 CST 2005
>Description:
sshit is a perl script, which works along with ipfw, ipfw2, and pf.
It parses the output of syslogd, find out SSH/FTP bruteforce attacks.
If the number of failed login is more than a threshold that administarator
set, sshit will block the source IP via firewall for a while
(administrators can set the period of blocking).
WWW: http://anp.ath.cx/sshit/
Generated with FreeBSD Port Tools 0.63
>How-To-Repeat:
>Fix:
--- sshit-0.5.shar begins here ---
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# sshit
# sshit/files
# sshit/files/pkg-message.in
# sshit/Makefile
# sshit/distinfo
# sshit/pkg-descr
# sshit/pkg-plist
#
echo c - sshit
mkdir -p sshit > /dev/null 2>&1
echo c - sshit/files
mkdir -p sshit/files > /dev/null 2>&1
echo x - sshit/files/pkg-message.in
sed 's/^X//' >sshit/files/pkg-message.in << 'END-of-sshit/files/pkg-message.in'
X===> CONFIGURATION NOTE:
X
X Configuration of sshit is done via main configuration file
X located at %%PREFIX%%/etc/sshit.conf
X
X To run the script, add a line in /etc/syslog.conf:
X
Xauth.info;authpriv.info |exec %%PREFIX%%/sbin/sshit
X
X and restart syslogd.
X
X If you want to use pf as the firewall, you should add a table and the
X corresponding deny rule. For example,
X (In /etc/pf.conf)
X
Xtable <badhosts> persist
Xblock on $extdev from <badhosts> to any
X
X and reload the pf rules.
X
X If you want to use ipfw2 (with table) as the firewall, you should add a
X table and the corresponding deny rule. For example,
X
X# ipfw add deny ip from table(0) to any
END-of-sshit/files/pkg-message.in
echo x - sshit/Makefile
sed 's/^X//' >sshit/Makefile << 'END-of-sshit/Makefile'
X# New ports collection makefile for: sshit
X# Date created: 18 December 2005
X# Whom: Jui-Nan Lin <jnlin at csie.nctu.edu.tw>
X#
X# $FreeBSD$
X#
X
XPORTNAME= sshit
XPORTVERSION= 0.5
XCATEGORIES= security
XMASTER_SITES= http://anp.ath.cx/sshit/ \
X ${MASTER_SITE_LOCAL}
X
XMAINTAINER= jnlin at csie.nctu.edu.tw
XCOMMENT= Checks for SSH/FTP bruteforce and blocks given IPs
X
XRUN_DEPENDS= ${SITE_PERL}/${PERL_ARCH}/Unix/Syslog.pm:${PORTSDIR}/sysutils/p5-Unix-Syslog \
X ${SITE_PERL}/IPC/Shareable.pm:${PORTSDIR}/devel/p5-IPC-Shareable \
X ${SITE_PERL}/Proc/PID/File.pm:${PORTSDIR}/devel/p5-Proc-PID-File
X
XNO_BUILD= yes
XUSE_PERL5_RUN= yes
X
XWRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
XPKGMESSAGE= ${WRKDIR}/pkg-message
XSUB_FILES= pkg-message
X
X.include <bsd.port.pre.mk>
X
X.if ${PERL_LEVEL} < 500600
XIGNORE= Perl 5.6 or newer required. Install lang/perl5 or lang/perl5.8 and try again.
X.endif
X
Xdo-install:
X ${INSTALL_SCRIPT} ${WRKSRC}/${PORTNAME}.pl ${PREFIX}/sbin/${PORTNAME}
X ${INSTALL_DATA} ${WRKSRC}/${PORTNAME}.conf ${PREFIX}/etc/${PORTNAME}.conf-dist
X
Xpost-install:
X @if [ ! -f ${PREFIX}/etc/${PORTNAME}.conf ]; then \
X ${CP} -p ${PREFIX}/etc/${PORTNAME}.conf-dist ${PREFIX}/etc/${PORTNAME}.conf ; \
X fi
X.if !defined(BATCH)
X @${CAT} ${PKGMESSAGE}
X.endif
X
X.include <bsd.port.post.mk>
END-of-sshit/Makefile
echo x - sshit/distinfo
sed 's/^X//' >sshit/distinfo << 'END-of-sshit/distinfo'
XMD5 (sshit-0.5.tar.gz) = 1b3f40e08a10919820eb5ecbfa3bc34b
XSHA256 (sshit-0.5.tar.gz) = eb65e94820fbfbd75d8227de9cd7f42b8b497c1bfac350fbb9d4ef51d85b442d
XSIZE (sshit-0.5.tar.gz) = 4065
END-of-sshit/distinfo
echo x - sshit/pkg-descr
sed 's/^X//' >sshit/pkg-descr << 'END-of-sshit/pkg-descr'
Xsshit is a perl script, which works along with ipfw, ipfw2, and pf.
XIt parses the output of syslogd, find out SSH/FTP bruteforce attacks.
XIf the number of failed login is more than a threshold that administarator
Xset, sshit will block the source IP via firewall for a while
X(administrators can set the period of blocking).
X
XWWW: http://anp.ath.cx/sshit/
END-of-sshit/pkg-descr
echo x - sshit/pkg-plist
sed 's/^X//' >sshit/pkg-plist << 'END-of-sshit/pkg-plist'
X at unexec if cmp -s %D/etc/sshit.conf %D/etc/sshit.conf-dist; then rm -f %D/etc/sshit.conf; fi
Xetc/sshit.conf-dist
X at exec if [ ! -f %D/etc/sshit.conf ] ; then cp -p %D/%F %B/sshit.conf; fi
Xsbin/sshit
END-of-sshit/pkg-plist
exit
--- sshit-0.5.shar ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list