I was dealing with the same issue and ran across this small, easy to install Python script: Script Kiddy Defence Script http://mr.uue.org/projects/skds/ I run shorewall / iptables on FC4 and have been very happy with this script for over a month now. Jim On 1/28/06, Mike Hicks <hick0088 at tc.umn.edu> wrote: > Hi, > > I finally got around to making an automatic blackhole setup to stop the > bots that try to SSH into my box all the time. I'm sure people have > done this before, but I couldn't find many decent references googling > around. So, I figured I'd explain what I did so others can waste less > time. > > First off, I switched from running the standard syslogd/klogd setup to > using syslog-ng. The advantage of syslog-ng is that you can have it > pipe some or all of the logs that are received into another program, > which can handle events as they happen. > > I pondered making a utility of my own to filter the logs for SSH login > failures, but I finally came across a reasonable utility online. SEC, > the Simple Event Correlator [http://kodu.neti.ee/~risto/sec/], uses Perl > and allows for Perl's regular expression syntax, which I'm most > comfortable with (and when I forget things, I can just do "man perlre" > to remember). > > Finally, I decided to make myself a simple blackhole script to give > myself a little more flexibility (for example, I'll expand it in the > future to have a "whitelist" of IP addresses, so if I'm feeling > forgetful one day, I hopefully won't block myself). > > I added these entries to my /etc/syslog-ng/syslog-ng.conf file, which > filters my logs and only sends messages from sshd to SEC (my firewall is > just a Pentium 133, so I didn't want to send everything there): > > # set up the destination of sec, which uses STDIN ('-') as input > destination d_sec { program("sec -input=- -conf=/etc/sec.conf"); }; > > # set up a filter to only pick up logs from the SSH daemon > filter f_sshd { program(sshd.*); }; > > # connect log source, filter, and destination > log { > source(s_all); > filter(f_sshd); > destination(d_sec); > }; > > I also created a rule for SEC that will run my blackhole script if three > failed logins appeared within a 30-second window. After an hour (3600 > seconds), I run my script again to unblock the IP address (otherwise my > blackhole chain would probably become very long after a while). > > type=SingleWith2Thresholds > ptype=RegExp > pattern=Failed password for (?:root|illegal user \S+) from ::ffff:([0-9.]+) > desc=Repeated login failures from $1 > window=30 > thresh=3 > action=shellcmd /usr/local/bin/blackhole.pl add $1 > desc2=Blackholed $1 for one hour, removing > window2=3600 > thresh2=0 > action2=shellcmd /usr/local/bin/blackhole.pl remove $1 > > I created a blackhole script that would add the IP to some rule chains > that are already set up on my firewall. I use the shorewall script to > define rules, which has a pre-defined "dynamic" chain for blackholing > sites, plus a "reject" target chain that will sanely react to a variety > of different incoming traffic. (I suppose calling it a "blackhole" > isn't really accurate in this case, since my firewall will generally > send TCP reset, port unreachable, or other responses when traffic is > being rejected). > > #!/usr/bin/perl > my ($action, $ip) = @ARGV; > if ($action eq 'add') { > system ("iptables -A dynamic -s $ip -j reject"); > system ("logger -t blackhole.pl[$$] added $ip to blackhole list"); > } > elsif ($action eq 'remove') { > system ("iptables -D dynamic -s $ip -j reject"); > system ("logger -t blackhole.pl[$$] removed $ip from blackhole list"); > } > > I finished it up late last night, and wasn't quite sure if it was > working. I'd attempted to fail SSH logins a few times from a remote > shell account I have, but it didn't seem to work (maybe I just didn't > type fast enough ;-) However, when I woke up today, I was happy to see > that this setup had added and then removed blackhole rules for two > sites. > > -- > Mike Hicks <hick0088 at tc.umn.edu> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > > iD8DBQBD27U405OjzVUnj0URAn/WAJ0e0XdON8dxc733r6RCY5Cisiu4mgCfV5GM > 5eYD5k1Xmh+Hz20J8Iv1Yd4= > =LGvV > -----END PGP SIGNATURE----- > > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list > > >