forked from simple-evcorr/rulesets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssh-brute.sec
69 lines (67 loc) · 3.65 KB
/
ssh-brute.sec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
################## ssh brute force attack blocker
# Copyright (C) 2003-2009 Mark Bergman
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
##################
#
# This sec ruleset monitors syslog messages for indications that an ssh brute-force
# login attack is underway. The trigger is an ssh login failure.
#
# If 4 additional syslog messages about ssh login failures from the same
# source address are received within next 1 minute, an iptables firewall
# rule is added to block access from the source IP.
#
# After that, the correlation operation waits until no ssh login failure
# syslog messages from the source IP have been received from the router
# during the last 2 hours, and then the iptables rule is removed. By
# definition, once the IP is blocked, there will be no more connection
# attempt failures logged by ssh (ie., packets will be dropped by the kernel
# before they reach the syslog daemon), so the rule will be flushed after
# 2 hours.
#
# Vulnerabilities of this ruleset are:
#
# persistent firewall rules:
# if the sec daemon crashes or is restarted, any existing rules
# will not be removed after 2hours
#
# window=60 # sliding window (1 minute) for initial event match
# thresh=4 # number of events (ssh login failures from a given IP) that must
# # occur within the window period in order to trigger the action
#
# window2=7200 # sliding window (2 hours) for the second event match
# thresh2=0
###############
# RCSversion="$Header: /home/bergman/RCS/ssh_block.sec,v 1.3 2006/05/02 04:18:44 bergman Exp bergman $"
#
# Representative log file entries:
# Aug 28 04:43:03 10.1.1.18 sshd(pam_unix)[22344]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.ace.ne.jp
# Aug 28 04:43:03 host sshd[22568]: Failed password for illegal user library from 210.230.187.218 port 55019 ssh2
# Aug 28 04:42:28 www.somehost.net sshd[9395]: Failed password for illegal user mysql from 210.230.187.218 port 52857 ssh2
# Aug 28 04:42:28 host sshd[22509]: Failed password for root from 210.230.187.218 port 52960 ssh2
# Aug 28 04:42:32 www.somehost.net sshd[9397]: Failed password for illegal user oracle from 210.230.187.218 port 53212 ssh2
# Aug 28 04:42:32 host sshd[22510]: Failed password for illegal user admin from 2 10.230.187.218 port 53243 ssh2
#
type=SingleWith2Thresholds
ptype=RegExp
pattern=sshd.*: authentication failure[ ;].* rhost=(\S+)
desc=Multiple failed ssh authentication attempts from $1
action=logonly ; shellcmd ( /usr/local/sbin/ipt-add -I FORWARD -s $1 -p tcp --dport 22 -j DROP ; /usr/local/sbin/ipt-add -I INPUT -s $1 -p tcp --dport 22 -j DROP )
window=60
thresh=4
desc2=Pruning iptables firewall rule blocking ssh from $1
action2=logonly ; shellcmd ( /sbin/iptables -D FORWARD -s $1 -p tcp --dport 22 -j DROP ; /sbin/iptables -D INPUT -s $1 -p tcp --dport 22 -j DROP )
window2=7200
thresh2=0
type=SingleWith2Thresholds
ptype=RegExp
pattern=sshd.*: Failed password for.* user .* from (\S+)
desc=Multiple ssh password failures from $1
action=logonly ; shellcmd ( /usr/local/sbin/ipt-add -I FORWARD -s $1 -p tcp --dport 22 -j DROP ; /usr/local/sbin/ipt-add -I INPUT -s $1 -p tcp --dport 22 -j DROP )
window=60
thresh=4
desc2=Pruning iptables firewall rule blocking ssh from $1
action2=logonly ; shellcmd ( /sbin/iptables -D FORWARD -s $1 -p tcp --dport 22 -j DROP ; sleep 2; /sbin/iptables -D INPUT -s $1 -p tcp --dport 22 -j DROP ; sleep 2)
window2=7200
thresh2=0