Security process
    Matthew Dillon 
    dillon at apollo.backplane.com
       
    Tue Mar  9 11:44:11 PST 2010
    
    
  
    I was running a little program based off of syslog for a long time.
    I've included the C code below as well.
auth.info;authpriv.info                         |exec /root/adm/sshlockout
    It basically checks for login failures and then adds a rule via
    ipfw.
    However, I eventually gave up doing this as more and more attacks
    are coming from large numbers IP addresses.  Instead I now just
    disallow passworded access via ssh entirely and let the attackers
    waste their time.
    In my personal experience the most important thing you need to
    deal with security breeches are at least daily backups going back
    far enough such that you can track down where the breech occurred
    and definitively clean up any trojans that were installed.  Trojans
    can be anything... they aren't necessarily going to be the suid
    shells the irc script kiddies were installing in the 90s.  They
    can be as simple as a slight modification to a firewall rule set,
    or PAM, or some other system configuration file which gives the
    attacker a backdoor exploit.
    Without backups to compare against sanitizing a breeched system is
    very difficult.  Just make sure the backup machine itself cannot
    be accessed from the vulnerable machines.
    --
    Service separation can also be a good tool.  One can run vkernels
    for low-bandwidth services, use jails, VMs, and so on and so forth.
					-Matt
					Matthew Dillon 
					<dillon at backplane.com>
/*
 * SSHLOCKOUT.C
 *
 * Use: pipe syslog auth output to this program.  e.g. in /etc/syslog.conf:
 *
 *  auth.info;authpriv.info                         /var/log/auth.log
 *  auth.info;authpriv.info                         |exec /root/adm/sshlockout
 *
 * Detects failed ssh login attempts and maps out the originating IP 
 * using IPFW.
 *
 * *VERY* simplistic.  ipfw entries do not timeout, duplicate entries may
 * occur (though normally not since ssh won't see new connections from
 * the IP otherwise), there are no checks made for local IPs or nets, 
 * or for prior successful logins, etc.
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdarg.h>
#include <syslog.h>
static void lockout(char *str);
int
main(int ac, char **av)
{
    char buf[1024];
    char *str;
    openlog("sshlockout", LOG_PID|LOG_CONS, LOG_AUTH);
    syslog(LOG_ERR, "sshlockout starting up");
    freopen("/dev/null", "w", stdout);
    freopen("/dev/null", "w", stderr);
    while (fgets(buf, sizeof(buf), stdin) != NULL) {
	if (strstr(buf, "sshd") == NULL)
	    continue;
	if ((str = strstr(buf, "Failed password for root from")) != NULL ||
	    (str = strstr(buf, "Failed password for admin from")) != NULL
	) {
	    while (*str && (*str < '0' || *str > '9'))
		++str;
	    lockout(str);
	    continue;
	}
	if ((str = strstr(buf, "Failed password for invalid user")) != NULL) {
	    str += 32;
	    while (*str == ' ')
		++str;
	    while (*str && *str != ' ')
		++str;
	    if (strncmp(str, " from", 5) == 0)
		lockout(str + 5);
	    continue;
	}
	if ((str = strstr(buf, "Illegal user")) != NULL) {
	    str += 12;
	    while (*str == ' ')
		++str;
	    while (*str && *str != ' ')
		++str;
	    if (strncmp(str, " from", 5) == 0)
		lockout(str + 5);
	}
    }
    syslog(LOG_ERR, "sshlockout exiting");
    return(0);
}
static void
lockout(char *str)
{
    int n1, n2, n3, n4;
    char buf[256];
    if (sscanf(str, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) {
	syslog(LOG_ERR, "Detected Illegal ssh login attempt, locking out %d.%d.%d.%d\n", n1, n2, n3, n4);
	snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4);
	system(buf);
    }
}
    
    
More information about the Users
mailing list