Ok folks. If you’re as tired as I am of these damn ssh worms on the net, then this may be a solution for you.
It’s a fairly simple patch to make it easier and more efficient to automaticly firewall out ssh brute force attacks.
If you have any issues with it feel free to let me know I’ll update the patch
The idea is that you apply the patch to openssh, compile, and install.
The patch provides another configuration setting for your sshd_config file
hook /path/to/executable
At the moment the patch doesn’t pick up on invalid passwords, but it does pick up on invalid usernames, and attempts to log in as root when root logins are disabled.
Basically on an invalid username it executes the file specified in the config file, passing two parameters:
Type: One of ROOT_LOGIN_REFUSED or AUTH_INVALID_USER
IPAddress: Well I’ll leave this one up to you.
It’s important to note that your executable should be as quick as possible in order to return to ssh.
eg:
Grep a file for the ip, add the ip to the file if it doesn’t already exist, add the ip to iptables (insert a reject rule before any ‘established’ or ‘related’ rules.)
Of course you could as easily use MySQL or the likes – but the idea is to not spend 40 minutes processing a request or you open yourself up for DoS attacks.
Patch File
File:
openssh-4.2_p1-hook.patch [5.73 kB]
Download: 175
Ebuilds for Gentoo users
File:
openssh-4.2_p1-r1-hook.tar.bz2 [16.78 kB]
(109)
File:
openssh-4.3_p2-r1-hook.tar.bz2 [9.30 kB]
(115)