Hi, I finally got around to making an automatic blackhole setup to stop the bots that try to SSH into my box all the time. I'm sure people have done this before, but I couldn't find many decent references googling around. So, I figured I'd explain what I did so others can waste less time. First off, I switched from running the standard syslogd/klogd setup to using syslog-ng. The advantage of syslog-ng is that you can have it pipe some or all of the logs that are received into another program, which can handle events as they happen. I pondered making a utility of my own to filter the logs for SSH login failures, but I finally came across a reasonable utility online. SEC, the Simple Event Correlator [http://kodu.neti.ee/~risto/sec/], uses Perl and allows for Perl's regular expression syntax, which I'm most comfortable with (and when I forget things, I can just do "man perlre" to remember). Finally, I decided to make myself a simple blackhole script to give myself a little more flexibility (for example, I'll expand it in the future to have a "whitelist" of IP addresses, so if I'm feeling forgetful one day, I hopefully won't block myself). I added these entries to my /etc/syslog-ng/syslog-ng.conf file, which filters my logs and only sends messages from sshd to SEC (my firewall is just a Pentium 133, so I didn't want to send everything there): # set up the destination of sec, which uses STDIN ('-') as input destination d_sec { program("sec -input=- -conf=/etc/sec.conf"); }; # set up a filter to only pick up logs from the SSH daemon filter f_sshd { program(sshd.*); }; # connect log source, filter, and destination log { source(s_all); filter(f_sshd); destination(d_sec); }; I also created a rule for SEC that will run my blackhole script if three failed logins appeared within a 30-second window. After an hour (3600 seconds), I run my script again to unblock the IP address (otherwise my blackhole chain would probably become very long after a while). type=SingleWith2Thresholds ptype=RegExp pattern=Failed password for (?:root|illegal user \S+) from ::ffff:([0-9.]+) desc=Repeated login failures from $1 window=30 thresh=3 action=shellcmd /usr/local/bin/blackhole.pl add $1 desc2=Blackholed $1 for one hour, removing window2=3600 thresh2=0 action2=shellcmd /usr/local/bin/blackhole.pl remove $1 I created a blackhole script that would add the IP to some rule chains that are already set up on my firewall. I use the shorewall script to define rules, which has a pre-defined "dynamic" chain for blackholing sites, plus a "reject" target chain that will sanely react to a variety of different incoming traffic. (I suppose calling it a "blackhole" isn't really accurate in this case, since my firewall will generally send TCP reset, port unreachable, or other responses when traffic is being rejected). #!/usr/bin/perl my ($action, $ip) = @ARGV; if ($action eq 'add') { system ("iptables -A dynamic -s $ip -j reject"); system ("logger -t blackhole.pl[$$] added $ip to blackhole list"); } elsif ($action eq 'remove') { system ("iptables -D dynamic -s $ip -j reject"); system ("logger -t blackhole.pl[$$] removed $ip from blackhole list"); } I finished it up late last night, and wasn't quite sure if it was working. I'd attempted to fail SSH logins a few times from a remote shell account I have, but it didn't seem to work (maybe I just didn't type fast enough ;-) However, when I woke up today, I was happy to see that this setup had added and then removed blackhole rules for two sites. -- Mike Hicks <hick0088 at tc.umn.edu> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20060128/fd6385ee/attachment.pgp