h1

Autoblock IPs with failed SSH logins

June 1, 2006

automatic blocking of systems after a number of failed login-try’s


some general things first…

first of all i would like to announce, i know there are tools like ‘denyhosts’ or ‘pam_abl’ (which i use too) but the problem is: i just wan’t a system to be ignored and not justed blocked…otherwise the system can still continue attacking my system via http, ftp or other services i’m running or just waste my system performance.

for this purpose i setup a script which automaticly adds the hosts identified by ‘pam_abl’ (http://www.hexten.net/pam_abl/ by Andy Armstrong) to iptables, which drops every traffic of this system.

this howto is just an english translation out of this documentation: http://nimue/doc/?doc=032-abl_iptab…_abl%20iptables

now, heres the howto….

————————————-

install, configure and activate ‘pam_abl’
under fedora its soo easy…just

Code:

yum install pam_abl

next configure pam_abl in ‘/etc/security/pam_abl.conf’.
with a configuration like this:

Code:

# /etc/security/pam_abl.conf
host_db=/var/lib/abl/hosts.db
host_purge=5d
host_rule=*:5/1h,20/1d

pam_abl will deny every system (host_rule=*:…), which gives 5 times per hour or 20 times per day an invalid user/password token.
for further information about configuring ‘pam_abl’ consider the official docs at http://www.hexten.net/assets/pam_abl_doc/index.html

after this, enable ‘pam_abl’ like its described in ‘/usr/share/doc/pam_abl-*/README.fedora’. i would advice you to add the ‘pam_abl’-rule before a sufficient pam-rule, otherwise it is possible for a system to go around this rule…
and be aware of changing pam-configuration, make a backup-copy first!

using ‘pam_abl’
now you have the ‘pam_abl’ module (called pam_abl.so) and the command-line tool ‘pam_abl’. this enables you to manually edit the database of so called ‘crackers’.

Code:

pam_abl -p

this purges old hosts in your database (means, hosts which are longer in database than defined in your config). we do this, cause we’ll be blocking ip-adresses via iptables and in most cases these ip-adresses were dynamically distributed by an isp.

changes to iptables
that we can automatically update our iptables rules with ‘crackers’ we must create a chain and then insert a rule into our current iptables rules (or firewall script):

Code:

iptables -t filter --new crackers
iptables -A INPUT -j crackers

it’s important to insert the rule at the top of iptables, otherwise a rule can allow a system before we can check if its a cracker identified by pam_abl (if you use iptables -I INPUT -j crackers, its inserted at top).

blocking the systems identified by ‘pam_abl’
now, we just need to update the ‘crackers’ chain with the systems attacking our system:

Code:

#!/bin/bash
#
# script: update_firewall.sh - updates crackers reported by pam_abl (http://www.hexten.net/pam_abl/) in the firwall

# initalitaion
#
# define variables
chain_name=crackers
iptables=/sbin/iptables
abl_hostdb=/var/lib/abl/hosts.db

# check access to iptables
if [ ! -x $iptables ]; then
echo "cannot execute iptables!"
echo "please correct iptables-variable in $0"
exit
fi

# check access to read-db-script
if [ ! -x $read_dbscript ]; then
echo "cannot execute read-db-script!"
echo "please correct read_dbscript-variable in $0"
exit
fi

# check if defined chain exist in current iptable-rules
if [ -z "`$iptables -n -L | grep -i "chain $chain_name"`" ]; then
echo "chain $chain_name is not defined in your iptable rules!"
echo "cannot add a rule into a non-existing chain. please update your iptables-config."
exit
fi

# checks ok, go on...
#
# purge old hosts from pam_abl
/usr/sbin/pam_abl -p

# flush crackers chain
$iptables -t filter -F $chain_name

# reload chain with actual crackers
for i in `/usr/sbin/pam_abl | grep -v hosts: | grep -v ocking | awk '{print $1}'`; do
$iptables -t filter -A $chain_name -s $i -j DROP
done

this script does all for you, it cleans the ‘pam_abl’-databse and the chain and finally adds every system identified by ‘pam_abl’ to iptables.

if you then add this script to your crontab (for example every 10minutes) a cracker system has max. 10minutes of time after blocked by pam_abl to attack another service or wasting your system performance…

17 comments

  1. Please can u tell me the line to add pam_abl as a cron job.

    Thx


  2. Add the line to /etc/crontab

    */10 * * * * (path to pam_abl script)


  3. What is the output of ?

    /usr/sbin/pam_abl | grep -v hosts: | grep -v ocking | grep -v username | grep “::ffff:” | awk ‘{print $1}’ | cut -d: -f3

    and

    /usr/sbin/pam_abl | grep -v hosts: | grep -v ocking | grep -v username | grep “::ffff:” | awk ‘{print $1}’ | cut -d: -f4


  4. Also let me know if you use static IP and want to allow only particular IPs to be able to ssh to your machine? What is your operating system?


  5. Success! I found some egrep regex on the ‘net to only show lines with IP addresses in them. Then I added cut -d: -f4 from your comment above to remove the IPv6 address. Here’s what I ended up with:

    for i in `/usr/sbin/pam_abl | egrep ‘[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}’ | cut -d: -f4 | awk ‘{print $1}’`;

    The script successfully added the cracker to my iptables crackers rule.

    For the record, I’ve got a static IP, and my OS is Fedora 7.


  6. Thanks so much for the help🙂


  7. welcome


  8. Do you want ssh to be accessible publicly?

    If not for ssh security, in /etc/ssh/sshd_config

    1) Change ssh port to some non standard port ( say 7563 etc)

    2) Change protocol to 2 only

    3) use host based protection/allow only specific IPs to connect to the machine

    example:-
    # cat /etc/hosts.allow
    sshd: MyIP1 MyIP2 MyIP3 localhost

    # cat /etc/hosts.deny
    sshd : ALL

    # chattr +ai /etc/hosts.allow /etc/hosts.deny

    MyIP your your local IP (s)

    4) Disable direct root login and allow only specific use to login via ssh and then su to root ( user must be added to wheel group ( group 10) and configured to be able to su to root

    or

    5) Use public key authentication and disable passwd authentication


  9. The problem for me with this script is that hosts are logged in pam_abl prior to being blocked (example below.) I would not want a host with one failed attempt being dropped in iptables prior to being blocked in pam_abl:

    Failed hosts:
    94.103.95.72 (186)
    Blocking users [*]
    10.10.10.245 (2)
    Not blocking


  10. when i run the script its give me following error

    1.chain crackers is not defined in your iptable rules!

    2.cannot add a rule into a non-existing chain. please update your iptables-config.

    so add the chain fist
    iptables -t filter –new crackers
    iptables -A INPUT -j crackers

    but its give me again error

    iptables v1.4.7: host/network `Failed’ not found
    Try `iptables -h’ or ‘iptables –help’ for more information.

    its my output of iptables

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    crackers all — anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain crackers (1 references)
    target prot opt source destination


  11. Why viewers still make use of to read news papers when in this technological world all is available
    on web?


  12. What’s Taking place i’m new to this, I stumbled upon this I have discovered It absolutely useful
    and it has helped me out loads. I’m hoping to give a contribution & assist other customers like its aided me. Great job.


  13. 子犬のコンパニオン、巨大な家族もがのみ、娘?バスコ、アルド、羽後ロドルフォですか?保存すること入手、要素ここで主要な保険。その後プラダを離れて渡すに1953年、アルド・提供してガイドブック、機関いくつかエリアグローバルに卓越性を開くのindustryrrrs1ブティックときニューヨーク。ロドルフォで実際にはかなりが最初に試行の開始、演技職業のような、マチネーアイドルが迅速に返されるにインスタントヘルプ私たち会社。時でグッチの駆け出し年、家族人悪名高いの猛烈な内紛。意見の相違。


  14. What’s up i am kavin, its my first occasion to
    commenting anyplace, when i read this article i thought i could also create comment due to
    this good article.


  15. Ahaa, its pleasant conversation on the topic of this piece of writing here at this web
    site, I have read all that, so at this time me also commenting at
    this place.


  16. Good respond in return of this issue with solid arguments and explaining
    everything regarding that.


  17. This site was… how do you say it? Relevant!!

    Finally I have found something which helped me. Kudos!



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: