SSH Kwikis
The ArchLUG SSH fingerprint:
The authenticity of host 'www.archlug.org (209.16.204.19)' can't be established. RSA key fingerprint is 16:02:d8:9e:cc:91:9a:6b:6a:f8:d0:88:ef:a5:c1:c9.
Add the following to your authorized keys (wrapped at 78 characters):
www.archlug.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAqjPhHW0zsSWJ2WRJXe1x2awlnH a9oNWwtL12MT/EnFZlglDnK+tftq0GNinWJWQQ3178es5gwd6VnhJ0FeK0zkEzg0CyTPwtHOpsIQom MwtIEdp5SBrW8U2fzK+yH1kEDrFDkpxTCBUr0J6yWyM52HPWXbHziwULRtsa1sE3iGM=
rssh
rssh is a restricted shell for use with Open SSH, allowing only scp and/or sftp. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.
I've been noticing an increase in overly curious nodes in the auth logs poking at my ssh daemon with a blunt stick. Someone with too much time has been distributing a script to dictionary attack ssh ports. I run sshd so that authorized users can access the server remotely, not anyone else.
The following bash script automagically adds the IP address of the attacking node (as found in the auth log) to your /etc/hosts.deny file, effectively shutting them down. I have added it to my crontab, so it runs every few minutes.
#!/bin/bash
# Adds attacking IP addresses to deny list
#
log_file="${1:-/var/log/auth.log}"
#
# Abort the script if the log file has not been modified since it has been read.
builtin test ! -N "$log_file" && exit 0
#
list=`grep 'Illegal user' $log_file | sed -e 's/ */ /g' | cut -d' ' -f10 | uniq | sort -n`
echo "$list" | uniq -c | while read count ip
do
[ 0 -ne `grep -c "$ip" /etc/hosts.deny` ] && continue
(printf "ALL: %12s # added `date +"%Y-%m-%d %R"` (%s Illegal user attempts)\n" "$ip" "$count") >> /etc/hosts.deny
done
Explanation:
- 'grep' pulls the line from the log
- 'sed' eliminates multiple spaces
- 'cut' extracts only the IP address
- 'uniq' removes duplicates
- 'sort' sorts the IP addresses numerically (this is really optional)
- The second uniq counts how many attempts originated from this IP address
- The second 'grep' tests to see if the IP address is already in /etc/hosts/deny
- If not, it is added, along with a datestamp.
Password errors do not count. The script only looks at attempts to sniff user logins. You must mistype your own userid at the 'login as' prompt to be denied access. Blocking attempts to discover your root password (if you allow remote root access) is left as an exercise for the reader. Take the following precautions against locking yourself out:
Add your ip block and any trusted nodes to /etc/hosts.allow. This file is read first, so will override the deny list. ALL: 192.168.10.0/255.255.255.0 ALL: csis-scrs.gc.ca ALL: where.I.work.ca
If you travel a lot, however, the following revised script includes a threshold setting. If the script counts more improper logins per log period than the threshold, it adds that node to the deny list.
#!/bin/bash
#
log_file="${1:-/var/log/secure}"
#
# Abort the script if the log file has not been modified since it has been read.
builtin test ! -N "$log_file" && exit 0
#
threshold=3
list=`grep 'Illegal user' $log_file | sed -e 's/ */ /g' | cut -d' ' -f10`
echo "$list" | uniq -c | while read count ip
do
[ $count -le $threshold ] && continue
[ 0 -ne `grep -c "$ip" /etc/hosts.deny` ] && continue
(printf "ALL: %12s # added `date +"%Y-%m-%d %R"` (%s Illegal user attempts)\n" "$ip" "$count") >> /etc/hosts.deny
done
This script only needs to be run on the machine displaying the open port. The following crontab entry in /etc/crontab should do the trick, running it every five minutes:
*/5 * * * * root /path/to/script
See also http://archives.mn-linux.org/pipermail/tclug-list/2006-January/048733.html
|
|