I know this is an ongoing thread and i'm not that active on this forum, but I wanted to share some work I did in case it helps others.

Originally I was looking for a way to stop dead any script kiddies doing an ssh attack on my home server. This isn't a corporate server so I wasn't too bothered about making the scripts complex.

My research bought me to this thread and I quite liked the one a few pages back which is a reactive script, so took that as a basis and made a couple of pretty ugly new scripts (that could be made much better), but they seem to work right now.

The preposition for my approach is simply to watch my secure log file and react by shutting down the IP connection when someone misbehaves. I don't want to actively chase these kids off my system, I want my system to simply close the door the first time they do something I don't like. I have a telnet bear trap that does exactly the same thing (in a different way) and I wanted to extend the security logic to this.

My first script resides within /etc/init.d and is configured for sysconfig. I call it ssh_defender

#!/bin/bash
#set -x
#
# chkconfig: 2345 56 24
# description: watches for the ssh abuse and stops it
#
# This is a quick script to launch the ssh defender program which is found
# in /usr/local/bin
#

# Settings:
work=/usr/local/bin

# Check that good_names exists.
[ -f /usr/local/good_names ] || exit 0


start() {
echo -n "Starting ssh defender: "
$work/ssh_defender &
}

stop() {
echo -n "Stopping ssh defender: "
ps -ef |grep "tail -0f /var/log/secure" | grep -v grep |
while read own pid ppid rest;
do
kill $pid
done
exit 0
}

case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
exit 1
esac


As you can see this is simply a handler script that calls another script I wrote. I couldn't get the whole thing to work the way I wanted so I resorted to this. I really couldn't get PID handling at all right so it's an ugly solution that I have but it works for now till I can work out how to capture the correct PID of the core process.

Anyway, the script it calls is in /usr/local/bin with a "good_names" file in /usr/local

#!/bin/bash
#set -x

#
# This is a quick script written to prevent these SSH attacks
#

# Settings:
iptables="/sbin/iptables"

# Check that bad_names exists.
[ -f /usr/local/good_names ] || exit 0

tail -0f /var/log/secure |
while read mm dd hms localhostname sshd word1 word2 word3 word4 host1 ho
st2 rest;
do
if [ $word3 != "`grep $word3 /usr/local/good_names`" ];
then
$iptables -I INPUT -s $host1 -j DROP
elif [ "$word1 $word2 $word3 $word4" = "Failed password for $word4" ];
then
echo "Watching $word4 for bad password attempts"
fi
done


Now I started off with a bad_name file and put all the usual culprits in there like admin, test, patrick, etc.. but as I run a home system with only a couple of valid ID's available for login I reverted the logic and said anyone I don't have as a valid login get's shut out. This way we get around the issue of locking out a user when they get their password wrong.

To get around some silly text parsing that I couldn't be bothered to deal with you need to put the user "for" into the good_names file. This get's around logging an entry when a user successfully logs in and the third word is "for". Dumb but a hack. :-)

So then lastly you make your /usr/local/good_names file and fill it one per line with valid users and you're away.

Just to make it all startup and stop properly I ran chkconfig --add ssh_defender which now seems to be in the --list, although I haven't rebooted yet to make sure it stops and restarts correctly.

So.. massive apologies for such a crappy piece of scripting. I'm no coder that's for sure, but as I spent a couple of days looking for this on the web I figured I'd share the one I ended up with by way of thanks for giving me a head start. If anyone makes this any better and wants to share it back again I'm more than willing to learn a little more about scripting.

is outgoing communication via port 43 neccessary by any means? and how to set my box not to listen to 32768,x11,910 in the first place although it's not allowed by IPT and any quick tips about sunrpc and ipp? I'm interested in what's needed to be in listening state for ssh server any of the ipp sunrpc mandatory?

So what happens if someone mistypes their username?

Well its a good point, and hence you might want to go with a 'bad_names' files, but as i'm the only one who really logs into the box (as I said this is a home server not a corporate server) then I'll just lock myself out till I can get in from another IP. I'm not worried about it for myself as I have numerous ways to get connected and fix the problem.

Never the less, it's a good point and I'll have to watch myself.

any clues port 43? outgoing what for my machine generated that traffic? do you know a monitoring tool which lists the process pid using specific connection....

http://www.grc.com/port_43.htm says that port 43 is used for whois. (Type whois google.com in a console terminal.) That site seems to be a good resource btw, You should bookmark it. (by which I mean the first link -- but Google is a good resource too )

Also, running netstat with the -p flag tells it to display the pid/name of the process using that socket/port. It solves quite some paranoia, when they're all listed with 'gaim' or 'firefox' next to them, rather than just being random IP addresses.

yes -p works great but I'm struggling to find some sofisticated GUI tool for example to show exactly what traffic is generating each application in means per second or total...

Well annoying as stupid scriptkiddies are - they now started to cloak their IP
here a short excerp from my logs
People had the cheek claiming I got a battering ram mentality but what is the f****g use of this

i dont want to be a bugger but its fairly simpel

vi /etc/ssh/sshd_config

go to the end "G"

and add :

AllowUsers user1 user2

and restart service

use ssh2
Dont login thru root
make sure ftp users cannot also login thru ssh
use difficult passwords
dont allow root to login
change in passwd the shells to false if user is not allow to login

and dont make simpel users like test password test

and install portsentry good tool

do you know a portsentry.rpm?

10x I forgot about that way really was helpful because when I tried with auto update got some checksum errors but in this site it's easy to find different repo

btw: someone tried even user name : pamela oh I'm bursting in tears which was along with patrick root jane ..... many many more this guy really spend a day on my sshd I should change the port maybe,

can someone tell in few words how to take advantage of portsentry I mean it's set & running but where to check results? I just saw lots of not-really-informational entries about portsenty in my logs.. also SELinux need promiscuos mode to be able to start snort... which I don't like how to workaround? and same as portsentry where are snort results... I'm lost in the logs... how to make sshd output be in separate file?? pls help me out here

Thank you kindly. This information is very usefull for me. Thanks again!


<link removed by moderator>

I don't know anything about snort or portsentry. But I do know you can out put all of your ssh login attempts by simply doing the command cat /var/log/secure | grep sshd | grep Failed ---This is to see the failed SSH attempts on your machine. You can make this a cronjob and mail it to you or output it to a file >> sshfailed.txt