hosts.allow
client address : %a
client hostname : %n
client username : %u
client info : %c
server address : %A
server hostname : %N
server process : %d
server info : %s
sshパスワード間違えたら一定時間アクセスを禁止する
辞書攻撃の対策として非常に有効です。
hosts.allow
sshd : ALL : spawn ( /usr/local/bin/block_ssh_attack.sh %a 5 ) : allow
/usr/local/bin/block_ssh_attack.sh
#!/bin/sh
# arg1 : ip addr ( can be given by tcpd )
# arg2 : suspend time in minutesexport NUMLOGBACK=30
export LOGFILE=/var/log/auth.log
export WHITELIST="hostb.example.org"
export MAILCMD=mailexport IPADDR=$1
export SUSPENDMIN=$2whitelist()
{
#echo "checking white list ${IPADDR?}"
for i in $WHITELIST;do
#host $i | awk '{ print $4 }'
host $i | awk '{ print "x" $4 "x" }' | grep "x${IPADDR?}x" > /dev/null &
& return 0;
done
#echo "not in white list"
return 1;
}tail -${NUMLOGBACK?} ${LOGFILE?} | \
egrep -i "sshd.*(Illegal user [-a-zA-Z0-9\.]+|Failed password for (root|inva
lid user [-a-zA-Z0-9\.]+)|Did not receive identification string) from ${IPADDR?}
" > /dev/null && \
export MATCH=TRUE[ x$MATCH = xTRUE ] && whitelist && export MATCH=TRUE
if [ x$MATCH = xTRUE ]; then
# echo "match"
pfctl -t invader -Tadd ${IPADDR?}
echo "pfctl -t invader -Tdelete ${IPADDR?}" | at now+${SUSPENDMIN?}min" > /
dev/null
logger -p authpriv.info -t SSHBLOCK "blocking ip ${IPADDR?} for ${SUSPENDMIN
?} minutes"
echo "blocking ssh from ip `host ${IPADDR?}` ${SUSPENDMIN?} min" | $MAILCMD -s sshd-block-${IPADDR?} root
fi
/etc/pf.conf
block in proto tcp from
to any port 22
非常に参考にしたサイト
question:1122858074
http://search.luky.org/linux-users.a/msg04927.html