Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A script to automatically blacklist illegal ssh attempts UNIX
With increasingly-automated ssh break-in attempts, I created an automated blocking script (which must be run by root) to put into /etc/crontab.

This script auto-blocks IPs that attempt to ssh into your mac illegally (background info). Hope this is useful to someone.

[robg adds: Enter the following in your favorite pure text editor, and make sure it's executable (chmod 755 scriptname). Adding it to cron is left as an exercise for the reader. I have not tested this one yet, and I'm not sure how you create exceptions for allowed IP addresses, such as a Mac at your office.]
#!/bin/sh
#
IPFW=/sbin/ipfw
MYIPS=`ifconfig | fgrep inet | fgrep netmask | awk '{print $2}'`
if [ "$MYIPS" = "" ]
then
  exit 1
fi
#
#if [ "$1" = "" ]
#then
#  LOG=/var/log/system.log
#else
#  LOG="$@"
#fi

zgrep -i Illegal /var/log/system.log*gz | fgrep sshd | awk '{print $NF}' | sort | uniq > /tmp/iplist

touch /etc/blacklist
cat /tmp/iplist /etc/blacklist | sort | uniq > /etc/blacklist.new
if [ -s /etc/blacklist.new ]
then
  mv /etc/blacklist.new /etc/blacklist
else
  rm -f /etc/blacklist.new
fi
rm -f /tmp/iplist
chmod og-rwx /etc/blacklist

IPS=`cat /etc/blacklist`

for ip in $IPS
do
  if [ "echo $MYIPS | fgrep $ip" != "" ]
  then
    rules=`/sbin/ipfw show | fgrep $ip | awk '{print $1}'`
    if [ "$rules" != "" ]
    then
      for rul in $rules
      do
        /sbin/ipfw delete $rul
        echo "/sbin/ipfw delete $rul"
      done
    fi
    /sbin/ipfw add deny log ip from $ip to any
  fi
done
    •    
  • Currently 1.50 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[21,086 views]  

A script to automatically blacklist illegal ssh attempts | 14 comments | Create New Account
Click here to return to the 'A script to automatically blacklist illegal ssh attempts' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Warnings? - xinetd
Authored by: ssevenup on Sep 14, '04 11:41:07AM

Won't this approach cause the Sharing/Firewall control panel to complain that "other software" is controlling the firewall? Probably not a deal breaker but I thought it worth mentioning.

I think an xinetd rule is the better approach to this problem anyway unless your really interested in looking at who is knocking.

--MM

---
Mark Moorcroft
ELORET Corp. - NASA/Ames RC
Sys. Admin.



[ Reply to This | # ]
Warnings? - xinetd
Authored by: jstripli on Sep 14, '04 01:49:04PM
I apologize for my ignorance, but what rules are you referring to? The man page on xinetd is not much help :-/ You are not simply referring to the hosts.deny file, are you?

[ Reply to This | # ]
Warnings? - xinetd
Authored by: gourls on Sep 14, '04 06:15:00PM
That's really smart thinking, but listen to the guy. Who wants illegal stuff crashing your Mac? And SSH is an interesting name for a-uh-illegal thing?

---
Why must you try me?

[ Reply to This | # ]

Warnings? - xinetd
Authored by: tobyc on Sep 15, '04 01:46:54AM

What do you mean illegal? SSH is perfectly legal and has been a part of OSX since the beginning.



[ Reply to This | # ]
Warnings? - xinetd
Authored by: Jaharmi on Oct 27, '04 11:32:21PM

SSH is the secure shell. It's what you're enabling when you turn on "Remote Login" in System Preferences > Sharing.

It's essentially a more secure version of Telnet, if you're familiar with that, and also provides scp/sftp (secure copy and secure FTP) services. You can use them from the command line, or from GUI applications like Fugu.



[ Reply to This | # ]
A script to automatically blacklist illegal ssh attempts
Authored by: thrig on Sep 14, '04 11:52:46AM

The following is poor code, and should not be used. Read more information about temporary file attacks. Instead, use mktemp to create a secure temporary file.

TMPFILE=`mktemp /tmp/example.XXXXXXXXXX` || exit 1
trap "rm -f $TMPFILE" 0 1 2 13 15
zgrep -i Illegal /var/log/system.log*gz | fgrep sshd | awk '{print $NF}' | sort | uniq > $TMPFILE

Maintaining a list of known-bad is far weaker security than simply blocking all by default, then only allowing in specific connections from good hosts. If the list of good hosts is too dynamic, consider port knocking to open the port on the fly to a trusted host.



[ Reply to This | # ]
A script to automatically blacklist illegal ssh attempts
Authored by: EddEdmondson on Sep 14, '04 12:56:03PM

I wonder why this is run from cron - it'd be better to have it parse a 'tail -f' continually or something, surely?

Anyway, there are several other things to consider here:
1) The possibility of blacklisting machines that genuine users are trying to login from, perhaps if they mistype their own username or password and trigger the blacklist.
2) That you should aim to whitelist anyway as thrig says, and that an up to date sshd should be pretty resistant to attacks so blacklisting is unlikely to block a significant number of attacks that would otherwise get through.

The risks of 1) in return for the benefits of 2) would make me wary of applying this.



[ Reply to This | # ]
A script to automatically blacklist illegal ssh attempts
Authored by: flipflop on Sep 14, '04 01:50:00PM

The preferred way of doing this is to use the built in TCP wrappers, by specifying who (by IP address or domain name, with wildcards allowed) is allowed to connect to each and any service as specified in /etc/hosts.allow and /etc/hosts.deny

Here's a URL to start you off:
http://www.hmug.org/HowTos/tcpwrappers.html

And as always 'man' is your friend, and Bob's your uncle:
'man hosts_acces'



[ Reply to This | # ]
A script to automatically blacklist illegal ssh attempts
Authored by: jpgetty on Sep 14, '04 02:15:26PM

But I regularly ssh into machines from my laptop via WiFi while on travel, so how can I use tcpwrappers to allow access from a changing IP? My solution so far is to allow ssh from work, and ssh into my work machines, but that just pushes the firewall back into being Someone Else's Problem (my work's sysadmins).



[ Reply to This | # ]
A script to automatically blacklist illegal ssh attempts
Authored by: kevinv on Sep 14, '04 05:15:08PM
Turn off any password access to SSH. Force everyone to generate SSH keys and use those to login. I keep the encrypted private key on my flash drive and carry it around with me.

see the OpenSSH KeyGen program

[ Reply to This | # ]

A script to automatically blacklist illegal ssh attempts
Authored by: sophistry on Sep 15, '04 11:20:03AM

how do i restrict password access to SSH and allow only keygen access? thanks for any pointers!

soph



[ Reply to This | # ]
A script to automatically blacklist illegal ssh attempts
Authored by: kevinv on Sep 15, '04 07:39:39PM
in the \etc\ssh\sshd_config file change the option (or add it if missing) PasswordAuthentication to no. Set the option PubkeyAuthentication to yes. If you have to use SSH protocol version 1 then set RSAAuthentication to yes.

Oh and set PermitRootLogin to no while you're there.

sshd_config man page

[ Reply to This | # ]

A script to automatically blacklist illegal ssh attempts
Authored by: tamás on Sep 16, '04 10:52:00PM

After reading the various replies, I second the recommendation of kevinv to use keys as that is definitely the best practice method of enhancing ssh security. The other methods may create additional hurdles for the would-be attacker, but they are prone to breakage if the legitimate clients' addresses change, they require too much maintenance, and they are the wrong tool for the job.



[ Reply to This | # ]
A script to automatically blacklist illegal ssh attempts
Authored by: MikeyMac on Jan 06, '05 02:00:07PM
There is a Perl version of an SSH blacklisting script here:

http://www.pettingers.org/code/SSHBlack.html

It gives the option of whitelisting and can operate in a FIFO to keep the list size down.

There are also some good tips at the bottom of that page for general SSH security.

[ Reply to This | # ]