ports/90603: [NEW PORT] security/sshit: Checks for SSH/FTP bruteforce and blocks given IPs

Jui-Nan Lin jnlin at csie.nctu.edu.tw
Sun Dec 18 15:40:04 UTC 2005 

>Number:         90603
>Category:       ports
>Synopsis:       [NEW PORT] security/sshit: Checks for SSH/FTP bruteforce and blocks given IPs
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 18 15:40:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Jui-Nan Lin
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD Seattle.tamama.org 5.4-STABLE FreeBSD 5.4-STABLE #3: Thu Nov 17 16:14:12 CST 2005
>Description:
sshit is a perl script, which works along with ipfw, ipfw2, and pf.
It parses the output of syslogd, find out SSH/FTP bruteforce attacks.
If the number of failed login is more than a threshold that administarator
set, sshit will block the source IP via firewall for a while 
(administrators can set the period of blocking). 

WWW: http://anp.ath.cx/sshit/

Generated with FreeBSD Port Tools 0.63
>How-To-Repeat:
>Fix:

--- sshit-0.5.shar begins here ---
# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	sshit
#	sshit/files
#	sshit/files/pkg-message.in
#	sshit/Makefile
#	sshit/distinfo
#	sshit/pkg-descr
#	sshit/pkg-plist
#
echo c - sshit
mkdir -p sshit > /dev/null 2>&1
echo c - sshit/files
mkdir -p sshit/files > /dev/null 2>&1
echo x - sshit/files/pkg-message.in
sed 's/^X//' >sshit/files/pkg-message.in << 'END-of-sshit/files/pkg-message.in'
X===>  CONFIGURATION NOTE:
X
X  Configuration of sshit is done via main configuration file
X  located at %%PREFIX%%/etc/sshit.conf
X
X  To run the script, add a line in /etc/syslog.conf:
X
Xauth.info;authpriv.info                         |exec %%PREFIX%%/sbin/sshit
X
X  and restart syslogd.
X
X  If you want to use pf as the firewall, you should add a table and the
X  corresponding deny rule. For example,
X  (In /etc/pf.conf)
X
Xtable <badhosts> persist
Xblock on $extdev from <badhosts> to any
X
X  and reload the pf rules. 
X
X  If you want to use ipfw2 (with table) as the firewall, you should add a 
X  table and the corresponding deny rule. For example,
X
X# ipfw add deny ip from table(0) to any  
END-of-sshit/files/pkg-message.in
echo x - sshit/Makefile
sed 's/^X//' >sshit/Makefile << 'END-of-sshit/Makefile'
X# New ports collection makefile for:	sshit
X# Date created:				18 December 2005
X# Whom:					Jui-Nan Lin <jnlin at csie.nctu.edu.tw>
X#
X# $FreeBSD$
X#
X
XPORTNAME=	sshit
XPORTVERSION=	0.5
XCATEGORIES=	security
XMASTER_SITES=	http://anp.ath.cx/sshit/ \
X		${MASTER_SITE_LOCAL}
X
XMAINTAINER=	jnlin at csie.nctu.edu.tw
XCOMMENT=	Checks for SSH/FTP bruteforce and blocks given IPs
X
XRUN_DEPENDS=	${SITE_PERL}/${PERL_ARCH}/Unix/Syslog.pm:${PORTSDIR}/sysutils/p5-Unix-Syslog \
X		${SITE_PERL}/IPC/Shareable.pm:${PORTSDIR}/devel/p5-IPC-Shareable \
X		${SITE_PERL}/Proc/PID/File.pm:${PORTSDIR}/devel/p5-Proc-PID-File
X
XNO_BUILD=	yes
XUSE_PERL5_RUN=	yes
X
XWRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
XPKGMESSAGE=	${WRKDIR}/pkg-message
XSUB_FILES=	pkg-message
X
X.include <bsd.port.pre.mk>
X
X.if ${PERL_LEVEL} < 500600
XIGNORE=		Perl 5.6 or newer required. Install lang/perl5 or lang/perl5.8 and try again.
X.endif
X
Xdo-install:
X	${INSTALL_SCRIPT} ${WRKSRC}/${PORTNAME}.pl ${PREFIX}/sbin/${PORTNAME}
X	${INSTALL_DATA} ${WRKSRC}/${PORTNAME}.conf ${PREFIX}/etc/${PORTNAME}.conf-dist
X
Xpost-install:
X	@if [ ! -f ${PREFIX}/etc/${PORTNAME}.conf ]; then \
X		${CP} -p ${PREFIX}/etc/${PORTNAME}.conf-dist ${PREFIX}/etc/${PORTNAME}.conf ; \
X	fi
X.if !defined(BATCH)
X	@${CAT} ${PKGMESSAGE}
X.endif
X
X.include <bsd.port.post.mk>
END-of-sshit/Makefile
echo x - sshit/distinfo
sed 's/^X//' >sshit/distinfo << 'END-of-sshit/distinfo'
XMD5 (sshit-0.5.tar.gz) = 1b3f40e08a10919820eb5ecbfa3bc34b
XSHA256 (sshit-0.5.tar.gz) = eb65e94820fbfbd75d8227de9cd7f42b8b497c1bfac350fbb9d4ef51d85b442d
XSIZE (sshit-0.5.tar.gz) = 4065
END-of-sshit/distinfo
echo x - sshit/pkg-descr
sed 's/^X//' >sshit/pkg-descr << 'END-of-sshit/pkg-descr'
Xsshit is a perl script, which works along with ipfw, ipfw2, and pf.
XIt parses the output of syslogd, find out SSH/FTP bruteforce attacks.
XIf the number of failed login is more than a threshold that administarator
Xset, sshit will block the source IP via firewall for a while 
X(administrators can set the period of blocking). 
X
XWWW: http://anp.ath.cx/sshit/
END-of-sshit/pkg-descr
echo x - sshit/pkg-plist
sed 's/^X//' >sshit/pkg-plist << 'END-of-sshit/pkg-plist'
X at unexec if cmp -s %D/etc/sshit.conf %D/etc/sshit.conf-dist; then rm -f %D/etc/sshit.conf; fi
Xetc/sshit.conf-dist
X at exec if [ ! -f %D/etc/sshit.conf ] ; then cp -p %D/%F %B/sshit.conf; fi
Xsbin/sshit
END-of-sshit/pkg-plist
exit
--- sshit-0.5.shar ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list