SSH attacks, again!
I am too lazy to install fail2ban to protect my ssh daemon against bad boys. In, addition, I have been raised to minimize reliability on applications when a one-liner or a few-lines script would do all or part of the work.
Yesterday, I decided to turn on my home's sshd and make it accessible from outside, so that whenever I need something while at work I would ask some one just to turn on my laptop. I did, and the bad Chinese boys were too quick that they started attacking my poor daemon. They were trying users like: root, oracle, backup, postgres, www, test, kylix, info. So far, there is only one attacking IP which is: 58.68.150.174
So, I hopped for:
1- denying remote root login (Yes, I am a lazy sysadmin! Should have done this earlier) and
2- updating my counter-ssh-attacks script as follows (P.S. I have removed explanatory comments):
Yesterday, I decided to turn on my home's sshd and make it accessible from outside, so that whenever I need something while at work I would ask some one just to turn on my laptop. I did, and the bad Chinese boys were too quick that they started attacking my poor daemon. They were trying users like: root, oracle, backup, postgres, www, test, kylix, info. So far, there is only one attacking IP which is: 58.68.150.174
So, I hopped for:
1- denying remote root login (Yes, I am a lazy sysadmin! Should have done this earlier) and
2- updating my counter-ssh-attacks script as follows (P.S. I have removed explanatory comments):
#! /bin/bash
RETVAL=0
secure='/var/log/secure'
file='/tmp/counter-ssh'
deny='/etc/hosts.deny'
#grep "Did not" $secure | awk '{print $12}' | uniq -u > $file
grep "Failed password" $secure | tr -d [:alpha:] | awk '{print $4}' | uniq > $file
for ip in $(cat $file); do grep --silent $ip $deny; if [ $? -ne 0 ]; then echo "sshd:$ip" >> $deny; fi; done
RETVAL=$?
exit $RETVAL
RETVAL=0
secure='/var/log/secure'
file='/tmp/counter-ssh'
deny='/etc/hosts.deny'
#grep "Did not" $secure | awk '{print $12}' | uniq -u > $file
grep "Failed password" $secure | tr -d [:alpha:] | awk '{print $4}' | uniq > $file
for ip in $(cat $file); do grep --silent $ip $deny; if [ $? -ne 0 ]; then echo "sshd:$ip" >> $deny; fi; done
RETVAL=$?
exit $RETVAL
Comments
Post a Comment