A few of my servers get hit constantly by ssh attacks. I'm talking a few thousand per day. It's just tickin me off and I'm tired of adding IPs to firewalls for each and every new instance.

I been checking out PSAD which is Great for packet checking, If configured right. it does an alright job for blocking ports after a regulated scan is detected. Buut that entails that they must go port to port (like a sailor). It won't protect just one call.

Thinking.... hmmm. ssh attacks are logged, I can go with a realtime log monitor. There's SWATCH. and it watches logs realtime, keywords execute external commands, and life rules if that happens.

I hacked up someone elses script to fit my purpose, and am see if anyone would like to have a go at it. tell me if it works nicely for them. Please install swatch first then fill in the scripts as follows:

.swatchrc (key things for swatch to look for)
watchfor /Failed password for/
exec "/usr/bin/bad-login $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15 $16 $17 $18 $19 $20"


/usr/bin/bad-login (what to do when swatch finds somethig)
#! /bin/bash
#
IP=`echo $* | sed 's/^.* from //' | awk '{print $1}' | sed 's/::ffff://'`
ATTEMPTS=`grep $IP /var/log/auth.log | grep "Failed password for" | wc -l`

if [ $ATTEMPTS -gt 2 ]
then
route add $IP lo
MINUTES=`expr $ATTEMPTS + 27`
echo "route del $IP lo 2> /dev/null" | at now +$MINUTES minutes 2>&1 > /tmp/.bad_login.$$
(hostname ; echo $* ; echo "IP=$IP" ; echo "ATTEMPTS=$ATTEMPTS" ; \
echo "Blocking for $MINUTES minutes" ; \
echo "whois summary" ; echo `whois $IP` ; \
cat /tmp/.bad_login.$$ ) | Mail -s "blocked logins" root
fi

rm -f /tmp/.bad_login.$$


then just an automated turnon name blocker:
#! /bin/bash

/usr/bin/swatch --config-file=/root/.swatchrc --tail-file=/var/log/auth.log --awk-field-syntax --tail-args "-F" &


Run the above code.

Pop these in, and it works fairly well. they get 3 attempts then are blocked for 30 min. if they try within the 30 min again. another 30 min is added. should work nicely.

I want to cleanup the whois bit. email alerts looks ugly. but I could totally ask for what ya think about it all.

I also want to use PSAD to block I might pop that in another time after refining it.

also, this is for a deb distro, fix the log-files to fit your distro.

dont want to ask stupid questions but is there any reason why you cant block port 22 on all these ips and just put a VPN box on your network which gives out IP's that are allowed to access ssh?

we personally dont have ANY management services facing anywhere near the outside world.

on the other hand, kudos for some good chopping and changing to get more secure!

Cause..... that's my answer.

I don't want to spend every day, for the rest of my life blocking IP's on my servers at work. I do a lot from home as well as others and not all of us have static IP's.

A big thing I want to try also is remote syslogging all servers to a single box, and it run the batch of scripts to push out to all servers.
one box gets attacked in my group, then the whole group goes to lockdown on IP.

I was almost going to go to these lengths at one stage but I already had a good firewall up and after a couple of weeks the ssh attackers (mostly chinese) gave up. I rarely get ssh attacks now, I get forged UDP packets instead :)

Try running SSHD on a different port - that stops 99% of the attacks on a couple of my Linux systems.

Secondly, install APF and BFD - automatically detects the breakin attempts and adds the offending IP's to ze firewall. See http://www.rfxnetworks.com/apf.php and http://www.rfxnetworks.com/bfd.php

Well, I tried without lookin into the alternatives.
actually, this runs fairly well with low system usage. glad on that.