On Tuesday 21 December 2004 03:46, Fajar Priyanto wrote:
> > It happened while the victum was working on pc and noticed the cpu
> > increase in gkrellm. So check your logs for something like this.
> > And if you use passwords instead of ssh keys, then make sure your
> > passwords are not simple to guess.
> >
> > Seems some user/password scans are checking for easy sshd logins
> >
> > HTH, after all the security talk here lately ...
>
> Yes, it has been happening in the last few months I think. The most
> usernames that are mostly used are: patrick, test, horde.
Here is a script I wrote to work around SSH probes. It is NOT elegant, very
quick and dirtyish
but it does seem to work and it can be run from a cron job fairly often without
problems.
#!/bin/sh
cd /usr/local/sbin
#Optional, remove old entries
#rm ./sshd_block/block.txt
#This will parse the messages file and extract the sshd lines
grep sshd /var/log/messages | grep Failed >> ./sshd_block/block.txt
#This line will cut only the IP addresses out of that file
cut -d \ -f 13 ./sshd_block/block.txt | uniq >> ./sshd_block/new_block.txt
target=`cat ./sshd_block/new_block.txt`
for i in $target; do
echo ALL:$i >> /etc/hosts.deny
#echo ALL:$i
done
#remove extra entries from hosts.deny
cat /etc/hosts.deny | sort | uniq > /etc/hosts.new
cp /etc/hosts.new /etc/hosts.deny
REMOVE linewrap from the script above. Also, you won't lose any items already
in
your hosts.deny. Basically, I grep the /var/log/messages file for sshd entries
and then
further grep for Failed lines. This should pick up all the invalid users that
the probes
create. Next, I use only uniq entries, and cut the IP address out so you only
get
a list of uniq IP's from that criteria. Then, I add them to hosts.deny. If
you want to be
more safe, you can change the line above to read "grep Invalid user" instead of
"grep Failed"
and then you will only add IP's who used an invalid user account. Still
possible for you to slip
up and get banned yourself. Also, I don't remove entries, I only add them. If
you
know the IP ranges or addresses that you SSH from, add them to hosts.allow
just to be extra safe.
Use this at your own risk. I am NOT a developer, and
certainly not a good developer.
Also, you need to put this script as is into /usr/local/sbin and you need to
create a working
directory called /usr/local/sbin/sshd_block. Or edit for your own system.
Script must be run as root to change /etc/hosts.deny and to access the logs.
For the record, there is another perl script called SSHD-Sentry that I am
working with to
see if I can get it working. If I do, I will post a link to it and help anyone
that wants to
to get it working.
Also, you might try to find BFD (brute force detection) which is another
script. I couldn't
get that one to work on Mandrake but someone else may be able to do better.
http://rfxnetworks.com/bfd.php
--
Bryan Phinney
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
