Yet again I find myself trying to solve the same problem I have been faced with over and over for the last 10 years I have been working with Linux. How do I stop SSH brute force attacks? I’m pondering this because I logged into one of my systems to discover a brute force attack in progress. Again…
I know I can install snort and use a complicated set of tools to detect an attack and add firewall rules. I also know I can implement port knocking or some other complicated means of making SSH unavailable to attackers. All of this seems a little overblown. It’s probably because someone started working on a way of detecting attacks and featureitis set in.
I keep coming back to the question of what the real problem is that I am solving. Most of the attacks I am concerned with are dictionary attacks. An attacker discovers I am listening on SSH and proceeds to try every username and password combination he can think of.
What information do I have? What information can I gather?
The easiest thing I can think of is to watch /var/log/secure. Every failed login attempt gets logged with a time, IP and user. Using popen(“tail -f /var/log/secure”) I can inspect each line of the log as it comes through. Each time I get a match for a bad user login I can add it to a database. When a particular IP has too many failed attempts in the last N minutes the IP can be added to a special blacklist table in iptables with a drop rule.
I’m out of time for right now, but a package will be forth coming. I have gotten this blacklist behavior in only 130 lines of code. This includes parsing command line options and becoming a daemon in the background.
I call that a win.
