Hi,
I could use a little help with some scripting. My perl/python is rudimentary, and bash not a lot better, but I'm sure this isn't too hard to do...
We get a lot (read thousands a day) of these lines in logs on all the machines we support, including our own:
Jul 6 16:53:24 xxx sshd[1628]: Invalid user chris from 202.202.43.110
It's a script kiddie trying to take advantage of an exploit in SSH. We use key-based authentication only, on SSH V2, so no real risk there, but it's annoying.
What I'd like to do is monitor the logs for such a line (or maybe three on the trot), and immediately do this:
/sbin/route add -host 202.202.43.110 reject
which will lock them out until a restart.
Any help appreciated!
Cheers, Laurie.
Be careful with auto route blockers and iptables manipulators like that. As an attacker you could detect quit easily that you're being actively blocked then spoof the source ip as the target computer. The blocker script would then quite correctly shut down all routes to and from its self requiring console access. As an added kick in the proverbials the attacker could spoof his address as a 192.168.x.x range and block local lan access as well. In effect you just dos'd yourself! Not too much of a problem if you are on site but a bugger if your server is remote.
One way to combat it is to time out the blocks with an intelligent script that removes the block after, say, 10 mins.
Just be careful is all :)
Stuart