DenySSH is a Ruby application that monitors the auth log of a BSD system for failed SSH login attempts and adds repeat attackers to a Packet Filter table, allowing you to define PF rules to block the attacking hosts or redirect them to a honeypot for your amusement.
There are already a few excellent tools that do almost the same thing, but none of them use PF to block attackers, which makes them less useful to someone like me. Thus, I wrote this.
It's not quite finished yet (I still need to write some documentation), but I've been using it on my servers for several months now and it works well. If you'd like to try it out, you can grab it from the Subversion repository.
Comments
No title
I do something similar with PF. But I simply monitor for syn packets on port 22. Too many in too short of a period of time and you get dropped into a black list table.
##### Table to hold loser script kiddies tring to brute force ssh logins
table persist file "/etc/pf_bruteforce"
#This should block anyone who tries to make more than 10 ssh connection in 60 seconds or more than 100 simultaneus total connections
pass in on $ExtIF proto tcp to $ExtIF port ssh flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 8/60, \
overload /etc/pf_bruteforce
I add a small cronjob to save the list:
pfctl -t bruteforce -T show (GREATER THAN SIGN)/etc/pf_bruteforce
Autoformat no-likey the greater than sign. BTW, This wasn't an original idea. I modified something that I lifted from the old interweb.
Also my poor pf deprived linux friends have been using fail2ban for a while. It uses authlog much like your script.
Cheers.
P.S. Congrats on the new WRX. Don't get too arrested. ;)
ssh brute force
The simpliest way to protect ssh from brute force is to install pam_abl. For interested, I've builded packages for ubuntu:
http://tech.tolero.org/blog/en/linux/ssh-password-brute-force-protection
Re: ssh brute force
How simple is it to get pam_abl running in FreeBSD?
Default perms for DB is 777
Perhaps not so good?
Re: Default perms for DB is 777
Ack. Stupid mistake. I've checked a fix into SVN.
Thanks for the heads up, Tor, but in the future, please send me an email and give me an hour or two to release a fix before you publicly announce something like this. You have every right to announce these things publicly of course, but I'd appreciate the courtesy and I think other DenySSH users would appreciate having a fix available before the whole world learns about the problem.
No title
However, I have been thinking about what it would take to expand DenySSH's functionality so that it can update depending on reject messages in the mail log. Gives me a good reason to look into this Ruby thing too.
Thanks for providing us with DenySSH, btw.
No title
"update depending"? Insert 'the table' between those two words. Jeez.
No title
table == 'spamd pf table' (and this time i will preview the post before committing =P).
Re: No title
If you want something similar to DenySSH that'll monitor a mail log, check out DenySpam. It's also in a pre-release state, but I've been doing a lot of work on it lately, and like DenySSH, I've been using it successfully on my servers for quite a while.
No title
Well dang, you've already done it. I'll take a look, thanks!