Differences between revisions 5 and 6
Revision 5 as of 2009-03-16 03:31:04
Size: 1861
Editor: anonymous
Comment: converted to 1.6 markup
Revision 6 as of 2012-10-07 03:40:58
Size: 1817
Editor: PaulWise
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Describe HOWTO/DynamicBlockSSHddos here.

I been having odd number of script kiddies trying my ssh access on firewall. It was not much so up until now, I been manually severing them; however, recent 250+ zombie attack made me come up with solution. I couldn't find any Debian specific one, but few Red Hat ones. So here it is. It is provided under GNU license.

Few things I assume you have already is: you have iptables installed and module installed. You also should have sane log turn over policy in place. If you don't, google is your friend :-)

Please, do take the time to study your log file and recognize the pattern and customize if needed. Make sure it runs as root or somebody who can execute this. I have omitted "iptables -F" because I have a cron job at the beginning of the day doing just that. You could leave it alone, but your table may get too big. I'll leave it to your judgement. After all is done, simple cron job will do the trick. Mine runs at every minute.

Simple script to do dynamic ssh ddos:

#!/bin/bash

grep -i "Failed keyboard" /var/log/auth.log | awk '{print $13};' > /var/log/block_tmp

grep -i "invalid user" /var/log/auth.log | awk '{print $10};' | grep -vi "user" | grep -vi "pwd" >> /var/log/block_tmp

grep -i "Did not receive identification string" /var/log/auth.log | awk '{print $12};' | grep -vi "user" | grep -vi "pwd" >> /var/log/block_tmp

sort -n /var/log/block_tmp | uniq | grep -v "UNKNOWN" > /var/log/listing

if [ -e /var/log/old_listing ]; then

  • diff /var/log/old_listing /var/log/listing | grep ">" | sed 's|>||g' > /var/log/block_tmp

else

  • rm /var/log/block_tmp
  • cp /var/log/listing /var/log/block_tmp

fi

rm /var/log/old_listing

cp /var/log/listing /var/log/old_listing

for i in cat /var/log/block_tmp 

do

  • iptables -I INPUT -s $i -j DROP

done