SSH BLACKLISTING

Posted: November 30, 2008 in LINUX
Tags:

The sshblack script is a real-time security tool for secure shell (ssh). It monitors *nix log files for suspicious activity and reacts appropriately to aggressive attackers by adding them to a “blacklist” created using various firewalling tools — such as iptables — available in most modern versions of Unix and Linux. The blacklist is simply a list of source IP addresses that are prohibited from making ssh connections to the protected host. Once a predetermined amount of time has passed, the offending IP address is removed from the blacklist.

Download :

http://www.pettingers.org/media/sshblackv281.tar.gz 

suggest you figure out what these do (and tweak them to meet your needs) before blindly executing them.

  • list — manually adds an IP address to the blacklist and modifies the $CACHE file accordingly
  • unlist — manually remove an IP address from the blacklist and the $CACHE file
  • bl — a manual blacklisting tool (one liner that modifies the iptables configuration only)
  • unbl — a manual UNblacklisting tool (one liner that modifies the iptables configuration only)
  • iptables-setup — a few shell commands to set up the iptables chains if you don’t want to do it manually

 

##########################################################

ssh balcklist init script

****************************************

#!/bin/bash # # Startup script for SSH Black List by Vadim Reznik # See http://www.pettingers.org/code/sshblack.html for details # # chkconfig: 345 86 14 # description: SSH Black monitors ssh connections for attacks # # processname: sshblack # pidfile: /var/run/sshblack.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = “no” ] && exit 0 # See how we were called. case “$1” in start) echo -n “Starting sshblack: ” /usr/local/sshblackD/sshblack.pl echo touch /var/lock/subsys/sshblack ;; stop) echo -n “Shutting down sshblack: ” pid=`ps axw | awk {‘if(match($7, “/usr/local/sshblackD/sshblack.pl”)) print$1}’` kill -9 $pid RETVAL=$? echo rm -f /var/lock/subsys/sshblack rm -f /var/run/sshblack.pid ;; restart) $0 stop $0 start ;; *) echo “Usage: $0 {start|stop|restart}” exit 1 esac exit 0 ################################################################### Configuring sshblack for RedHat Enterprise 4 Linux

The following sequence is executed as root user.

  1. Download sshblack from http://www.sshblack.com/

  2. Unpack the tar file into a working directory, and check that an executable file sshblackv28.pl is created. I have used /usr/local/sbin/sshblackv28; the sshblack installation suggests /usr/src/sshblack. E.g.:

  • [root@luggage sshblack]# cd /usr/local/sbin/sshblackv28 [root@luggage sshblack]# tar xvzf /file/kit/TUXKIT/SSHBlack/sshblackv28.tar.gz bl INSTALL.TXT iptables-setup.sh README.TXT sshblack.pl sshblack-start.sh unbl [root@luggage sshblack]# ls -al total 116 drwx—— 2 root root 4096 Dec 11 12:01 . drwxr-xr-x 3 root root 4096 Dec 11 11:52 .. -rwxrwxr-x 1 root root 263 Aug 10 06:07 bl -rw-rw-r– 1 root root 24731 Aug 6 18:23 INSTALL.TXT -rwxrwxr-x 1 root root 447 Aug 10 05:18 iptables-setup.sh -rw-rw-r– 1 root root 14742 Aug 6 18:01 README.TXT -rwxr-xr-x 1 root root 11487 Aug 10 06:46 sshblackv.pl -rwxrwxr-x 1 root root 223 Aug 10 05:18 sshblack-start.sh -rwxrwxr-x 1 root root 278 Aug 10 06:07 unbl
  • Ensure perl is installed; e.g.
    • [root@luggage sshblack]# perl –version This is perl, v5.8.5 built for i386-linux-thread-multi : (etc.)
  • Ensure iptables is installed and running; e.g.
    • root@luggage sshblack]# iptables –list Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all — anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all — anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all — anywhere anywhere ACCEPT icmp — anywhere anywhere icmp any ACCEPT ipv6-crypt– anywhere anywhere ACCEPT ipv6-auth– anywhere anywhere ACCEPT udp — anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp — anywhere anywhere udp dpt:ipp ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp — anywhere anywhere state NEW tcp dpt:http ACCEPT tcp — anywhere anywhere state NEW tcp dpt:https ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ssh ACCEPT udp — anywhere anywhere state NEW udp dpt:domain ACCEPT tcp — anywhere anywhere state NEW tcp dpt:domain ACCEPT udp — anywhere anywhere state NEW udp dpt:bootps ACCEPT udp — anywhere anywhere state NEW udp dpt:netbios-ns ACCEPT tcp — anywhere anywhere state NEW tcp dpt:netbios-ns ACCEPT tcp — anywhere anywhere state NEW tcp dpt:netbios-ssn ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ipp ACCEPT tcp — anywhere anywhere state NEW tcp dpt:rsync REJECT all — anywhere anywhere reject-with icmp-host-prohibited
  • This step can be skipped if creating the init.d script described below. Create a new iptables chain called BLACKLIST, add this to the start of the INPUT chain for incoming TCP data on port 22 (SSH), and save the resulting iptables configuration:

    • [root@luggage sshblack]# iptables -N BLACKLIST [root@luggage sshblack]# iptables -I INPUT 1 -p tcp –dport 22 -j BLACKLIST [root@luggage sshblack]# /sbin/service iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] [root@luggage sshblack]#
  • Tailor the sshblack script: look in particular for my($LOCALNET), my($ADDRULE), my($DELRULE), my($REASONS). In my case, I changed just the following definition to allow for my local net:

    • # regex for whitelisted IPs – never blacklist these addresses my($LOCALNET) = ‘^(?:127\.0\.0\.1|192\.168\.0|193\.123\.216)’;
  • This step can be skipped if creating the init.d script described below. Start the script:

    • [root@luggage sshblack]# /usr/local/sbin/sshblack/sshblack.pl >>/var/log/sshblacklisting 2>&1 & [1] 8105
  •  

    2. Arrange sshblack to run on system reboot

    To arrange for the script to be started automatically on system reboot (on my RedHat-based system), I created a script file that conforms to the chkconfig init file conventions. (Remove the (-) from the first line – I don’t know why, but the wiki puts that there.)

     

    #!/bin/bash (-) # # /etc/rc.d/init.d/sshblack # # Controls the sshblackv28.pl sshd breakin attempt monitoring script # # chkconfig: 345 86 14 # description: SSH Black monitors ssh connections for attacks # processname: sshblack # pidfile: /var/run/sshblack.pid # # : : : # | | | # | | priority for kill scripts # | | # | priority for start scripts # | # run levels at which to start service # # The code in this script adapted from /etc/init.d/atd on my RHEL4-derived system, # with some additional clues from [http://www.pettingers.org/media/sshblackinit.txt] # # See also: http://www.netadmintools.com/art94.html # Source function library. . /etc/init.d/functions progname=”sshblackv28.pl” progpath=”/usr/local/sbin/sshblackv28/” prog=”${progpath}${progname}” logfile=”/var/log/sshblacklisting” test -x ${prog} || exit 0 RETVAL=0 # # See how we were called. # start() { # Create firewall table for blacklist (in case it got lost) # (On Redhat Linux, running the system security level script causes additional # IPtables entries to be removed, so this code reinstates the sshblack entries if iptables -L INPUT | grep BLACKLIST >/dev/null then # Blacklist already configured : else # Blacklist missing. # Lines 2-4 below may need adjusting to match the local iptables usage: # currently they insert the blacklist check at the start of the INPUT chain iptables -N BLACKLIST iptables -I INPUT 1 -m state –state RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT 2 -i lo -j ACCEPT iptables -I INPUT 3 -p tcp –dport 22 -j BLACKLIST # Remove any old blacklist cache # (if iptables is reset without clearing this, previously started attacks # may be allowed through) rm -f /var/tmp/ssh-blacklist-pending fi # Check if prog is already running if [ ! -f /var/lock/subsys/${progname} ]; then echo -n $”Starting ${progname}: ” ${prog} >>${logfile} 2>&1 & RETVAL=$? if [ $RETVAL -eq 0 ]; then touch /var/lock/subsys/${progname} success else failure fi echo fi return $RETVAL } stop() { echo -n $”Stopping $progname: ” killproc ${prog} RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/${progname} echo return $RETVAL } restart() { stop start } reload() { restart } status_prog() { status ${prog} } case “$1″ in start) start ;; stop) stop ;; reload|restart) restart ;; condrestart) if [ -f /var/lock/subsys/${progname} ]; then restart fi ;; status) status_prog ;; reset) [ -f /var/lock/subsys/${progname} ] && rm -f /var/lock/subsys/${progname} ;; *) echo $”Usage: $0 {start|stop|restart|condrestart|status}” exit 1 esac exit $? exit $RETVAL

    Placing this file in directory /etc/init.d, and making it executable, the whole sshblack utility becomes manageable using chkconfig and service commands; e.g.

     

    [root@luggage sshblack]# cp sshblack /etc/init.d [root@luggage sshblack]# ls -al /etc/init.d/sshblack -rwxr-xr-x 1 root root 1863 Dec 11 15:03 /etc/init.d/sshblack [root@luggage sshblack]# chkconfig –add sshblack [root@luggage sshblack]# chkconfig –list sshblack sshblack 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@luggage sshblack]# service sshblack start 

    Advertisements

    Leave a Reply

    Please log in using one of these methods to post your comment:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s