Wednesday, November 2, 2005

Blocking Script Kiddies

When you administer your own unix box, one of the things you find out (if you pay attention to the log files) is just how often someone tries to break in. Lately there have been tons of people using secure shell to do a "brute-force" attack: try all the usernames and passwords you can think of an hope one matches. It uses up a lot of CPU time because they try sometimes a couple of hundred connections before giving up.
I decided I was sick of it, so I wrote a script to monitor the log and block the IP address of anyone who tries more than 5 times to connect.


p = IO.popen("tail -f #{ARGV[0]}")
#p = IO.popen("cat #{ARGV[0]}")

$bad = {}

def log(ip)
   if $bad[ip] == nil then
      $bad[ip] = 1
      $bad[ip] = $bad[ip] + 1

   if $bad[ip] > 5 then
      system("/usr/local/sbin/ipdrop #{ip} on")
      m = IO.popen("/usr/bin/mutt -s 'Dropped IP #{ip}'","w")
      m.write("IP address #{ip} has been blocked for excessive ssh failures.\n")
      print "Blocking IP #{ip}\n"

p.each { |x|
   if x =~ /.*sshd.*Invalid user.*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/ then
This morning after I got back from teaching I found an email in my box; some script kiddie at got blocked! I checked the logs and found this.
Nov  2 10:26:22 calvin sshd[22502]: Did not receive identification string from
Nov  2 10:30:01 calvin cron[22507]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Nov  2 10:31:07 calvin sshd[22523]: Invalid user test from
Nov  2 10:31:09 calvin sshd[22528]: Invalid user test from
Nov  2 10:31:11 calvin sshd[22533]: Invalid user test from
Nov  2 10:31:13 calvin sshd[22538]: Invalid user test from
Nov  2 10:31:15 calvin sshd[22543]: User guest not allowed because shell /dev/null is not executable
Nov  2 10:31:22 calvin sshd[22558]: Invalid user prova from
Nov  2 10:31:24 calvin sshd[22563]: Invalid user prueba from
Nov  2 10:33:25 calvin sshd[22568]: fatal: Timeout before authentication for
After the fifth attempt, my log watcher ran the command to block the IP. During that time, our kiddie initiated a sixth attempt (for prueba). The last line is fun. The IP got blocked before they could try a password. :-)
Okay, so I'm a geek. But a pretty satisfied one.

No comments: