Re: Illegal user carol from ...

To: debian-user-polish@lists.debian.org
Subject: Re: Illegal user carol from ...
From: Jerzy Patraszewski <patrasze@wszib.edu.pl>
Date: Thu, 27 Oct 2005 08:35:45 +0200
Message-id: <[🔎] 20051027083545.24c97d26@localhost>
In-reply-to: <[🔎] 001601c5da58$01606940$0301a8c0@Main>
References: <[🔎] 001601c5da58$01606940$0301a8c0@Main>

Jak doniosl wywiad/kontrwywiad dnia Wed, 26 Oct 2005 20:06:30 +0200
"Sub" <sub@astro.net.pl> napisal(a):

> Witam,
> 
> Szukam jakis narzedzi ktore blokowaly by po kilku nieudanych probach 
> zalogowania dany IP.

<ciach>

> 
> Jakies pomysly/narzedzia zeby to to przyblokowac?
>
<ciach>

Witam, wlasnie podobny problem jest opisywany na liscie incidents (na securityfocus.com) wiec nie bede wywazal otwartych drzwi i wkleje ci 
odpowiedniego posta z bardzo fajnym (lightweight - owym) rozwiazaniem:

From: foxxz.net@gmail.com
To: incidents@securityfocus.com
Subject: Re: SSH bruteforce on its way...
Date: 19 Oct 2005 20:47:39 -0000
X-Mailer: MIME-tools 5.411 (Entity 5.404)

Heres a perl script I made to help solve my problem.  I have been seeing these the past 2 years at least. This works on debian sarge (ssh 3.8). Can easily be changed for other ssh versions. Run like this...

tail -n0 -F /var/log/auth.log |logflow.pl |awk -W interactive '{ print "sshd: "$1 }' >> /etc/hosts.deny 2>&1 &

and here is the logflow.pl...

#!/usr/bin/perl

use Regexp::Common qw /net/;

# ips that shouldn't be banned
@safe = ('192.168.51.1','1.2.3.4');


# number of illegal users received in 1 minute that will trigger a ban
$thresh = 4;

while (<STDIN>) {
 if ($_ !~ /Illegal user/) { next; }
 @line = split(' ', $_);
 @hourmin = split(':', @line[2]);
 if ("@line[0] @line[1] @hourmin[0] @hourmin[1] @line[9]" eq $remember && grep(/^@line[9]$/, @bans) eq 0 && @line[9] =~ /^$RE{net}{IPv4}$/) {
  $found++;
  if ($found eq ($thresh - 1)) {
   print "@line[9]\n";
   $| = 1;
   push(@bans, @line[9]);
  }
 } else {
  $found=0;
 }
 $remember = "@line[0] @line[1] @hourmin[0] @hourmin[1] @line[9]";
}


<ciach>
> Ostatnimi czasy nasilaja sie glupie proby wlamow typu:
> (...)
> Oct 26 18:46:03 mars sshd[15452]: Illegal user carol from 210.97.10.180
> Oct 26 18:46:03 mars sshd[15453]: Illegal user network from 210.97.10.180
> Oct 26 18:46:06 mars sshd[15457]: Illegal user word from 210.97.10.180
> Oct 26 18:46:07 mars sshd[15456]: Illegal user jaso from 210.97.10.180
> (...)
> Rozna logi, serwer sie zajmuje niepotrzebnymi odpowiedziami, po kablach 
> lataja bzdurne wywolania na ssh...

A tak przy okazji proponuje tam zagladnac, bo to takie nie do konca "glupoty"

Pozdrawiam
-- 
  Jerzy <sm0q> Patraszewski
  patrasze{at}wszib{dot}edu{dot}pl
  sm0q{at}rootshell{dot}be

Reply to:

References:
- Illegal user carol from ...
  - From: "Sub" <sub@astro.net.pl>

Prev by Date: Re: Tempo startu X-ów
Next by Date: Re: czym wypalać na 2.6.x bez GNOME/KDE?
Previous by thread: Re: Illegal user carol from ...
Next by thread: Re: Re: information [#148664]
Index(es):
- Date
- Thread