<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I wrote this script to thwart the brute force ssh hackers. It isn't
the most efficient but it works. it blocks their ip using iptables. I
run it every min via cron<br>
<br>
<br>
<br>
#!/usr/bin/perl<br>
<br>
###vars<br>
<br>
$lines=5000; #lines to tail<br>
$pos=10; #count lines that are positive to kick ip<br>
$lp=$lines+1000;<br>
<br>
<br>
$log=`tail -n $lp /var/log/secure | grep 'Failed password' | tail -n
$lines`;<br>
<br>
<br>
@nage = split (/\n/,$log);<br>
foreach $ip (@nage) {<br>
$ip=~ /(\d*\.\d*\.\d*\.\d*)/;<br>
push @ips,$1;<br>
}<br>
<br>
@ips_1=@ips;<br>
@ips_2=@ips;<br>
<br>
#gets a unique ip list<br>
foreach $snip (@ips) {<br>
$n=0;<br>
$t=0;<br>
while (@ips_1[$n]) { <br>
if ($snip == $ips_1[$n]) {<br>
if ($t==0) { #print "$snip==$ips_1[$n]\n";<br>
$move=0;<br>
foreach $cnip (@sips) {<br>
if ($snip==$cnip) {<br>
$move++;<br>
}<br>
}<br>
if ($move==0) {<br>
push @sips, $snip;<br>
}<br>
$t++;<br>
}<br>
} <br>
$n++;<br>
}<br>
}<br>
<br>
<br>
#takes the unique list and counts against the full ip list<br>
$nn=0;<br>
foreach $nip (@sips) {<br>
$m=0;<br>
$n=0;<br>
while (@ips_2[$n]) {<br>
if ($nip==@ips_2[$n]) {$m++;}<br>
$n++;<br>
}<br>
if ($pos<$m) {<br>
if ($nn==0) {<br>
$cur=`/sbin/iptables -L -n`;<br>
}<br>
if ($cur!~/$nip/) {`/sbin/iptables -t filter -I INPUT
-s $nip -j DROP`;}<br>
}<br>
}<br>
<br>
Gerald wrote:
<blockquote
cite="midc80517ed0512261656y63dda19dl1cda0dd273132258@mail.gmail.com"
type="cite">
<pre wrap="">good suggestion.. I limited the users and restricted root.
does anyone know how to change the defualt "login as:" banner to something else?
Gerald
On 12/26/05, Mail List <a class="moz-txt-link-rfc2396E" href="mailto:lists@sapience.com"><lists@sapience.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Monday 26 December 2005 00:24, Gerald wrote:
</pre>
<blockquote type="cite">
<pre wrap="">It looks like i'm getting a dictionary attack on my system. I moved
ssh to another port instead of 22 in hopes that would put a halt to it
</pre>
</blockquote>
<pre wrap="">
You probably don't want to advertise the port you chose either as per your
mail.
You may also wish to set:
PermitRootLogin no
AllowUsers gerald other1 other2 etc
(i.e. limit to users you care about with known strong passwords or keys only
as someone else suggested).
DUmb question - did you service sshd restart to make sure your changes were
picked up?
\g/
--
fedora-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a>
To unsubscribe: <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-list">https://www.redhat.com/mailman/listinfo/fedora-list</a>
</pre>
</blockquote>
<pre wrap=""><!---->
--
-Gerald
</pre>
</blockquote>
</body>
</html>