SBLD - The SSH Blacklist Daemon

If you run a server with SSHD exposed to the internet, chances are that server is being scanned for common username and password combinations. These often appear in the authorization log (/var/log/auth.log) as entries like:

Jun 12 13:33:57 localhost sshd[18900]: Illegal user admin from<br /> Jun 12 13:37:17 localhost sshd[18904]: Illegal user admin from<br /> Jun 12 13:37:20 localhost sshd[18906]: Illegal user test from<br /> Jun 12 13:37:22 localhost sshd[18908]: Illegal user guest from<br />

Extend that for several hundred lines, and you'll have an idea of what one scan looks like.

Being somewhat opposed to the idea of people clogging my logs with useless information, I wrote a small perl script to detect these entries in the log file and block the offending source address using iptables. It detects scans within a matter of seconds, and blocks the IP quickly to stop the attack. Blocks are only enabled for a short time--as little as 30 seconds is enough to discourage most automated scanners. SBLD limits the number of simultaneous bans to reduce iptables load and it's own resource usage, and gradually decreases the alert level for hosts when no attack is taking place.

With SBLD, the scan is quickly detected and ended.

Jun 17 13:31:58 localhost sshd[3314]: Illegal user test from<br /> Jun 17 13:31:59 localhost sshd[3316]: Illegal user test from<br /> Jun 17 13:32:00 localhost sshd[3322]: Illegal user tester from<br /> Jun 17 13:32:00 localhost sbld[3326]: Blocked<br /> Jun 17 13:32:30 localhost sbld[3326]: Unblocked<br />

The detection method itself is a simple regex applied to the log file, so it should be fairly easy to extend the daemon to block other kinds of attacks.

SBLD is still under development, but I'd like to encourage people to try it out and/or offer improvements. I make no guarantees as to the performance, safety, or security of this software. Contact me with feedback.


Post a Comment

Please avoid writing anything here unless you are a computer: This is also a trap:

Supports github-flavored markdown for [links](, *emphasis*, _underline_, `code`, and > blockquotes. Use ```clj on its own line to start a Clojure code block, and ``` to end the block.

Copyright © 2017 Kyle Kingsbury.
Non-commercial re-use with attribution encouraged; all other rights reserved.
Comments are the property of respective posters.