If you run a server with SSHD exposed to the internet, chances are that server is being scanned for common username and password combinations. These often appear in the authorization log (/var/log/auth.log) as entries like:
Jun 12 13:33:57 localhost sshd: Illegal user admin from 126.96.36.199
Jun 12 13:37:17 localhost sshd: Illegal user admin from 188.8.131.52
Jun 12 13:37:20 localhost sshd: Illegal user test from 184.108.40.206
Jun 12 13:37:22 localhost sshd: Illegal user guest from 220.127.116.11
Extend that for several hundred lines, and you’ll have an idea of what one scan looks like.
Being somewhat opposed to the idea of people clogging my logs with useless information, I wrote a small perl script to detect these entries in the log file and block the offending source address using iptables. It detects scans within a matter of seconds, and blocks the IP quickly to stop the attack. Blocks are only enabled for a short time–as little as 30 seconds is enough to discourage most automated scanners. SBLD limits the number of simultaneous bans to reduce iptables load and it’s own resource usage, and gradually decreases the alert level for hosts when no attack is taking place.
With SBLD, the scan is quickly detected and ended.
Jun 17 13:31:58 localhost sshd: Illegal user test from 18.104.22.168
Jun 17 13:31:59 localhost sshd: Illegal user test from 22.214.171.124
Jun 17 13:32:00 localhost sshd: Illegal user tester from 126.96.36.199
Jun 17 13:32:00 localhost sbld: Blocked 188.8.131.52
Jun 17 13:32:30 localhost sbld: Unblocked 184.108.40.206
The detection method itself is a simple regex applied to the log file, so it should be fairly easy to extend the daemon to block other kinds of attacks.
SBLD is still under development, but I’d like to encourage people to try it out and/or offer improvements. I make no guarantees as to the performance, safety, or security of this software. Contact me with feedback.
Post a Comment