Wednesday, November 2, 2005

Blocking Script Kiddies

When you administer your own unix box, one of the things you find out (if you pay attention to the log files) is just how often someone tries to break in. Lately there have been tons of people using secure shell to do a "brute-force" attack: try all the usernames and passwords you can think of an hope one matches. It uses up a lot of CPU time because they try sometimes a couple of hundred connections before giving up.
I decided I was sick of it, so I wrote a script to monitor the log and block the IP address of anyone who tries more than 5 times to connect. 

#!/usr/bin/ruby

p = IO.popen("tail -f #{ARGV[0]}")
#p = IO.popen("cat #{ARGV[0]}")

$bad = {}

def log(ip)
   if $bad[ip] == nil then
      $bad[ip] = 1
   else
      $bad[ip] = $bad[ip] + 1
   end

   if $bad[ip] > 5 then
      system("/usr/local/sbin/ipdrop #{ip} on")
      m = IO.popen("/usr/bin/mutt -s 'Dropped IP #{ip}' mattoxbeckman@-----.com","w")
      m.write("IP address #{ip} has been blocked for excessive ssh failures.\n")
      m.close
      print "Blocking IP #{ip}\n"
   end
end

p.each { |x|
   if x =~ /.*sshd.*Invalid user.*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/ then
      log($1)
   end
}
This morning after I got back from teaching I found an email in my box; some script kiddie at 211.22.84.102 got blocked! I checked the logs and found this. 
Nov  2 10:26:22 calvin sshd[22502]: Did not receive identification string from 211.22.84.102
Nov  2 10:30:01 calvin cron[22507]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
Nov  2 10:31:07 calvin sshd[22523]: Invalid user test from 211.22.84.102
Nov  2 10:31:09 calvin sshd[22528]: Invalid user test from 211.22.84.102
Nov  2 10:31:11 calvin sshd[22533]: Invalid user test from 211.22.84.102
Nov  2 10:31:13 calvin sshd[22538]: Invalid user test from 211.22.84.102
Nov  2 10:31:15 calvin sshd[22543]: User guest not allowed because shell /dev/null is not executable
Nov  2 10:31:22 calvin sshd[22558]: Invalid user prova from 211.22.84.102
Nov  2 10:31:24 calvin sshd[22563]: Invalid user prueba from 211.22.84.102
Nov  2 10:33:25 calvin sshd[22568]: fatal: Timeout before authentication for 211.22.84.102
After the fifth attempt, my log watcher ran the command to block the IP. During that time, our kiddie initiated a sixth attempt (for prueba). The last line is fun. The IP got blocked before they could try a password. :-)
Okay, so I'm a geek. But a pretty satisfied one.

Posted by Mattox Beckman at 11:36

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)