ギャラクシードリンク 宇宙味 このページをアンテナに追加 RSSフィード

2005-08-02

[] hosts.allow

client address : %a

client hostname : %n

client username : %u

client info : %c

server address : %A

server hostname : %N

server process : %d

server info : %s

[] sshパスワード間違えたら一定時間アクセスを禁止する

辞書攻撃の対策として非常に有効です。

hosts.allow

sshd : ALL : spawn ( /usr/local/bin/block_ssh_attack.sh %a 5 ) : allow

/usr/local/bin/block_ssh_attack.sh

#!/bin/sh

# arg1 : ip addr ( can be given by tcpd )

# arg2 : suspend time in minutes

export NUMLOGBACK=30

export LOGFILE=/var/log/auth.log

export WHITELIST="hostb.example.org"

export MAILCMD=mail

export IPADDR=$1

export SUSPENDMIN=$2

whitelist()

{

#echo "checking white list ${IPADDR?}"

for i in $WHITELIST;do

#host $i | awk '{ print $4 }'

host $i | awk '{ print "x" $4 "x" }' | grep "x${IPADDR?}x" > /dev/null &

& return 0;

done

#echo "not in white list"

return 1;

}

tail -${NUMLOGBACK?} ${LOGFILE?} | \

egrep -i "sshd.*(Illegal user [-a-zA-Z0-9\.]+|Failed password for (root|inva

lid user [-a-zA-Z0-9\.]+)|Did not receive identification string) from ${IPADDR?}

" > /dev/null && \

export MATCH=TRUE

[ x$MATCH = xTRUE ] && whitelist && export MATCH=TRUE

if [ x$MATCH = xTRUE ]; then

# echo "match"

pfctl -t invader -Tadd ${IPADDR?}

echo "pfctl -t invader -Tdelete ${IPADDR?}" | at now+${SUSPENDMIN?}min" > /

dev/null

logger -p authpriv.info -t SSHBLOCK "blocking ip ${IPADDR?} for ${SUSPENDMIN

?} minutes"

echo "blocking ssh from ip `host ${IPADDR?}` ${SUSPENDMIN?} min" | $MAILCMD -s sshd-block-${IPADDR?} root

fi

/etc/pf.conf

block in proto tcp from <invader> to any port 22

非常に参考にしたサイト

question:1122858074

[linux-users:104973] Re: SSHの大量不正アクセスログ