hajo at hajo.net
Fri Oct 29 12:36:17 UTC 2004
On Thu, 2004-10-28 at 18:45, John Aldrich wrote:
> On Thursday 28 October 2004 03:37 am, HaJo Schatz wrote:
> > I have hacked a script which tails /var/log/secure and reacts on attempts
> > to log in as root with password. Such offending IPs are then denied port
> > 22 access. Any comments, positive or negative, on this?
> Oooh... care to post it? I like the sounds of that. :-)
Sure, dead simple anyway. You can source the resulting blackist.txt e.g.
in hosts.deny where you might want to block ssh access only.
Alternatively, use the IPs as new rules for your firewall. Note that the
blacklist.txt file has to exist for the script to run (lazy me ;)).
BTW, thanks guys for all your comments. I'm more worried about an
accidential PW discovery on a user name than a DOS, so I think my chosen
path should be OK. PW authentication is a must for users connecting from
unknown IPs (whereas I have of course disabled root PW access). I'll
have a look into snort though...
# Remember to restart this daemon after rotating the secure-log!!!
my $BL = "/opt/sshBruteDetect/blacklist.txt";
my $LOG = "/var/log/secure";
open F, "tail -n -0 -f $LOG |" or die "Could not open log file\n ERROR:
if( $_ =~ /sshd.*Failed password for root from (.+) port/ )
$IP = $1;
open B, "$BL" or die "Could not read blacklist-file!\n ERROR: $!";
LOOP: while ( <B> )
if( $_ =~ /$IP/ )
close B ;
if( !$found )
open B, ">> $BL" or die "Could not write to blacklist-file!\n
print B "$IP\n";
HaJo Schatz <hajo at hajo.net>
More information about the fedora-list