repeated ssh login attempts/failure/break-in attempts from kiddy script

Bob Johnson fbsdlists at gmail.com
Fri Mar 31 15:23:01 UTC 2006 

On 3/31/06, Nathan Vidican <nvidican at wmptl.com> wrote:
> Noted recently in auth.log, a string of connection attempts repeated/failed
> over
> and over from one host - looks like a script someone's running, tries all
> kinds
> of various usernames, etc... attempts like 100-200 logins, fails and goes
> away.

This is common.  IIRC, it's a worm that infects Linux systems.

> here and just happen to notice them - simple ipfw add deny... does the
> trick,
> but is there not a way to limit the login attempts for a certain period of
> time?
>
> ie: after 4 failed attempts from IP _BLANK_ in less than _BLANK_ minutes,
> deny
> all attempts and drop connection from said IP... possible?

I use the following very crude solution, which is loosely based on a
solution someone else posted somewhere (I don't remember).  It blocks
any IP that does SSH logins to nonexistent users more than nine times
in a five minute window.

In /etc/crontab, you need something like:
# Filter any system that generates excessive illegal user login attempts
*/5     *       *       *       *       root    /usr/local/sbin/sshblock

And the sshblock script looks like:

PATH=/bin:/sbin:/usr/bin:/usr/sbin

cat /var/log/auth.log | grep "Illegal user" | rev  | cut -d\  -f 1 |
rev | sort | uniq -c | \
( while read count ip; do
    if [ $count -gt 9 ]; then
      if ! ipfw table 1 list | grep -q $ip ; then
        echo blocking $ip for $count bogus ssh login attempts in past 5 minutes
        logger -p auth.warn blocking $ip for $count bogus ssh attempts
in five minutes
        ipfw table 1 add $ip
      fi
    fi
  done
)


And in your ipfw table you need something like:

    deny ip from table(1) to any

in addition to whatever else you have.  I put it just before my

    allow tcp from any to any established

line.

The echo command in the script causes cron to email you an alert every
time someone is blocked, take that out if you don't want it.  If you
reboot the system, this will forget all of the blocked addresses, read
the entire log file, and send new notices about old attacks, but other
than that it works well for me. People have written more sophisticated
scripts that store the IPs in files to restore the list after a
reboot, but I rarely reboot so I don't really need that.  A search on
Google should turn up some of them.

Some attackers manage to get in a few hundred hits in their five
minute window, but it's much better than the thousands (sometimes tens
of thousands) they used to hit me with during hours of attacks.


- Bob

More information about the freebsd-questions mailing list