Atualize o hosts.deny para bloquear tentativas de brute force
by Felipe 'chronos' Prenholato on Sunday, 14 March/2010, under Linux, Servidores
Ai embaixo um simples script para você bloquear hosts tentando brute force no seu SSH, muitas das vezes pode sanar o problema de ter uma porta diferente pro ssh 
O script varre o /var/log/messages para detectar tentativas de invasão, pega os hosts, e adiciona no /etc/hosts.deny
Código:
#!/bin/bash</code> cp /etc/hosts.deny /var/tmp/hosts.deny # Jun 8 00:39:43 mintaka sshd[23332]: User root from 222.77.183.51 not allowed because not listed in AllowUsers egrep "$(date +%b) ($(date +%d)|$(date +%e)).*User .* from [a-z0-9\.]* not allowed because not listed in AllowUsers" /var/log/messages | sed -e 's/.* from \([a-z0-9\.]*\) .*/\1/' | sort | uniq | sed -e 's/^/ALL:/' > /etc/hosts.deny ; #Jun 8 11:54:33 mintaka sshd[31221]: Invalid user bob from 62.204.145.224 egrep "$(date +%b) ($(date +%d)|$(date +%e)).*Invalid user .* from [a-z0-9\.]*$" /var/log/messages | sed -e 's/.*Invalid user .* from//' | sort | uniq | sed -e 's/^/ALL:/' >> /etc/hosts.deny ; diff -u /etc/hosts.deny /var/tmp/hosts.deny &>/dev/null || (echo "** hosts.deny updated **" ; cat /etc/hosts.deny)
Script funcionando:
Sep 2 16:55:02 mintaka -- MARK --
Sep 2 13:58:10 mintaka sshd[20790]: Did not receive identification string from 189.2.118.72
Sep 2 13:58:34 mintaka sshd[20795]: Invalid user suporte from 189.2.118.72
# Tentativa de brute force
Sep 2 13:58:41 mintaka sshd[20798]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:43 mintaka sshd[20800]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:46 mintaka sshd[20802]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:49 mintaka sshd[20804]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:51 mintaka sshd[20806]: Invalid user suporte from 189.2.118.72
Sep 2 13:59:24 mintaka sshd[20817]: Did not receive identification string from 189.2.118.72
# Script roda
** hosts.deny updated **
ALL:74.221.239.100
ALL: 189.2.118.72
ALL: 200.27.79.101
ALL: 74.221.239.100
# E os hosts agora estão bloqueados
Sep 2 14:00:09 mintaka sshd[20826]: Invalid user teste2008 from 189.2.118.72
Sep 2 14:00:10 mintaka sshd[20864]: refused connect from 189.2.118.72 (189.2.118.72)
Eu rodo em minha máquina a cada 2 minutos
Friday, 04 em September/2009 on 14:02
Fala Dr. Chronos!
Eu uso uma solução bastante parecida que é o denyhosts, funciona no mesmo estilo!
Abraço!
Friday, 04 em September/2009 on 14:08
Great! I don’t know this solution, I develop my script in 5 minutes at home
.
For who is interested in denyhosts:
Denyhosts web page: http://denyhosts.sourceforge.net/
How setup on Gentoo: http://en.gentoo-wiki.com/wiki/DenyHosts
Thx my friend
Friday, 04 em September/2009 on 14:13
Another solution, indicated by Ricardo Domiciano (Arca solutions infra guy):
http://www.configserver.com/cp/csf.html
Monday, 14 em September/2009 on 06:09
Hello…the script is not working for me…
Output is gt, no such command..
Where i am doing wrong?
Thanks..
Monday, 14 em September/2009 on 08:45
Hum… maybe your distro and/or version of sshd output wrong entries in different format than my. Probabily you need to change regex of egrep
.
Maybe is better idea check for other scripts/softs that do same thing, check links of comments