11/Oct/2007 tested on SuSE 10.3
This is a Linux daemon that monitors log files (i.e. /var/log/messages) looking for multiple failed login attempts via the SSH. It also blocks IP addresses doing port scans. It creates firewall rules to block individual offencers.
# mv sshutout-1.0.3.tar.gz /usr/local/src # tar zxvf sshutout-1.0.3.tar.gz # cd sshutout-1.0.3Edit the Makefile. The man path must be changed as,
...
# if [ ! -d /usr/man/man8 ]; then mkdir -m 755 /usr/man/man8; fi
# cp sshutout.8 /usr/man/man8/sshutout.8
# chown root:root /usr/man/man8/sshutout.8
# chmod 644 /usr/man/man8/sshutout.8
if [ ! -d /usr/share/man/man8 ]; then mkdir -m 755 /usr/share/man/man8; fi
cp sshutout.8 /usr/share/man/man8/sshutout.8
chown root:root /usr/share/man/man8/sshutout.8
chmod 644 /usr/share/man/man8/sshutout.8
...
Install shutout
# make # make installEdit /etc/sshutout.conf as,
... #squelch_portscan = no squelch_portscan = yes ... #illegal_user = no illegal_user = yes ...
#!/bin/sh
# chkconfig: 35 99 30
# description: sshutoutd
DAEMON=/usr/local/sbin/sshutout
test -x $DAEMON || exit 0
case "$1" in
start)
rm -f /var/run/sshutout.pid
$DAEMON
echo -e \n
;;
stop)
killall -TERM sshutout
echo ""
;;
status)
echo | ps ax | grep sshutout
tail /var/log/sshutout.log
;;
restart)
$0 stop && $0 start
;;
reload)
killall -HUP sshutout
$0 restart
;;
*)
echo "Usage: sshutoutd {start|stop|restart|reload|status}"
exit 1
esac
Start sshutout.
# /etc/init.d/sshutoutd start sshutout ver. 1.0.3 -- (C)Copyright 2006 - Bill DuPree All rights reserved. *** The sshutout 1.0.3 daemon has started *** sshutout configuration follows: Configuration file: /etc/sshutout.conf SSH Daemon: sshd Input log file: /var/log/messages Output log file: /var/log/sshutout.log PID file: /var/run/sshutout.pid Polling interval: 60 seconds Threshold: 4 attempts Delay penalty: 300 seconds Portscan squelching is enabled Illegal user squelching is enabled Whitelist: 125.14.252.1 192.168.0.10 125.14.253.38 nRun it when boot the machine.
# chkconfig sshutoutd on # chkconfig --list | grep sshutoutd sshutoutd 0:off 1:off 2:off 3:on 4:off 5:on 6:offSee the blocked site list at /var/log/sshutout.log after a while
# tail -f /var/log/sshutout.log 121.254.225.14 blocked on Wed Oct 24 04:43:48 2007 121.254.225.14 blocked on Wed Oct 24 04:44:34 2007 72.9.104.122 blocked on Thu Oct 25 00:25:19 2007 202.213.248.219 blocked on Thu Oct 25 06:27:19 2007 210.94.6.89 blocked on Thu Oct 25 07:56:19 2007You can see the more detailed activities at /var/log/messages
Oct 24 04:43:38 srv1 sshd[716]: Did not receive identification string from 121.254.225.14 Oct 24 04:43:48 srv1 sshutout[12567]: Squelching ssh port scan from 121.254.225.14 for 300 seconds. Oct 24 04:44:34 srv1 sshutout[12474]: Squelching ssh port scan from 121.254.225.14 for 300 seconds. Oct 24 04:48:48 srv1 sshutout[12567]: Unblocking 121.254.225.14 after expiry of 300 seconds. Oct 24 04:49:34 srv1 sshutout[12474]: Unblocking 121.254.225.14 after expiry of 300 seconds. ... Oct 25 00:25:17 srv1 sshd[10481]: reverse mapping checking getaddrinfo for 72-9-104-122.reverse.ezzi.net [72.9.104.122] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 25 00:25:17 srv1 sshd[10481]: Invalid user test from 72.9.104.122 Oct 25 00:25:19 srv1 sshutout[2698]: Squelching ssh port scan from 72.9.104.122 for 300 seconds. Oct 25 00:30:19 srv1 sshutout[2698]: Unblocking 72.9.104.122 after expiry of 300 seconds. ... Oct 25 06:27:05 srv1 sshd[20280]: Invalid user tomcat from 202.213.248.219 Oct 25 06:27:19 srv1 sshutout[2698]: Squelching ssh port scan from 202.213.248.219 for 300 seconds. Oct 25 06:32:19 srv1 sshutout[2698]: Unblocking 202.213.248.219 after expiry of 300 seconds. ... Oct 25 07:56:18 srv1 sshd[22868]: Invalid user 1111 from 210.94.6.89 Oct 25 07:56:19 srv1 sshutout[2698]: Squelching ssh port scan from 210.94.6.89 for 300 seconds.