HackFest Series: Swatch and SSH

Lisa Kachold lisakachold at obnosis.com
Sun May 3 09:24:29 MST 2009 

Are you running into problems with IPTABLES SSH brute force protections
dropping your shell scripted jobs and locking you out rather than blocking
ssh?

Here's a suite solution using swatch (also includes a fine IP exclusion and
bad guy list to have swatch still work with IPTABLES at the bottom).

Full article:
http://greyduck.net/greywiki/Swatch_and_SSH

Of course you need to get swatch:

# yum install swatch
# apt-get install swatch

This new method doesn't use 'iptables' but rather a script that creates a
timed null-route. It's... interesting. We'll see how it pans out.

   - Credit where it's due: The bulk of this setup originated here:
   http://home.gagme.com/greg/linux/protect-ssh.php

/etc/swatch.conf:

watchfor   /Failed password for/
     exec "/usr/local/sbin/bad_user $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11
$12 $13 $14 $15"

/etc/init.d/swatchrc:

#!/bin/sh
#
# swatchrc      This shell script takes care of starting and stopping
#               swatch.
#
# chkconfig: 2345 81 31
# description: Swatch is a System WATCHdog program that we are
#              using here to block repeated failed ssh logins.
# processname: swatch

RETVAL=0
test -x /usr/bin/swatch || exit 0
start(){
  echo "Starting swatch"
    # Spawn a new swatch program
      /usr/bin/swatch --config-file=/etc/swatch.conf
--tail-file=/var/log/secure --pid-file=/var/run/swatch.pid
--awk-field-syntax --tail-args '--follow=name -n 0' &
      echo $PID
return $RETVAL
}
stop () {
    # stop daemon
  echo "Stopping swatch:" $PROG
  kill -9 `cat /var/run/swatch.pid`
  rm -f /var/run/swatch.pid
  killall tail
  return $RETVAL
}
restart () {
  stop
  start
  RETVAL=$?
  return $RETVAL
}

case "$1" in
  start)
      start
      ;;
  stop)
      stop
       ;;
  restart)
      restart
      ;;
  *)
      echo "Usage: $0 {start|stop|restart}"
      RETVAL=1
esac
exit $RETVAL

/usr/local/sbin/bad_user:

#! /bin/bash
#
IP=`echo $* | sed 's/^.* from //' | awk '{print $1}' | sed 's/::ffff://'`
ATTEMPTS=`grep $IP /var/log/secure | grep "Failed password for"  | wc -l`

if [ $ATTEMPTS -gt 2 ]
then
       route add $IP lo
       MINUTES=`expr $ATTEMPTS - 2`
       echo "route del $IP lo 2> /dev/null" | at now +$MINUTES minutes
2>&1 > /tmp/.bad_user.$$
       (hostname ; echo $* ; echo "IP=$IP" ; echo "ATTEMPTS=$ATTEMPTS" ; \
               echo "Blocking for $MINUTES minutes" ; \
               cat /tmp/.bad_user.$$ ) | Mail -s "bad user" root
fi

rm -f /tmp/.bad_user.$$

That's the gist of it, oddly enough. A "chkconfig --add swatchrc" doesn't
hurt either.

Some notes:

   - We 'killall tail' in the 'swatchrc' file because swatch is too stupid
   to take care of that itself.
   - Some IP address protection in '/etc/swatch.conf' isn't a bad idea.
   (Consider this a TODO note.)
   - If 'tail' obeys its '--follow=name' parameter correctly then issuing
   'swatchrc restart' shouldn't be necessary on log rotation. Time will tell.
   - This configuration is a new implementation as of mid-June 2006. YMMV
   and so forth.

 Older Setup Info

This older implementation was used on Debian-based rigs at the old office,
and relied on using 'iptables' calls to permanently block offending
addresses. Configuration details below are being kept partly for historic
value and partly to provide hints on ways to improve the current running
configuration.

Before setting up Swatch-based SSH login protection, we want to do a couple
of things to iptables.

iptables -N swatch_rejects
iptables -I INPUT 5 -j swatch_rejects
/etc/init.d/iptables save active

We also need to turn off IPv6 on Fedora Core rigs, otherwise Swatch may have
a bitch of a time parsing those log entries with all the "::ffff:" crap. (Do
I need IPv6 on my server? No? Righto then.)

echo "alias net-pf-10 off" >> /etc/modprobe.conf

A reboot is required. Dammit.

Here are the configs for using Swatch on a Debian-based rig.

One, the /etc/swatch.conf file:

 # Global swatch filter file

# To ignore a IP-range - this is your lifeline :)
ignore /10\.21\./

#Invalid SSH Login Attempts
watchfor /: [iI]nvalid [uU]ser/
# uncomment this to let them fail 3 times
#threshold 3:3600
mail addresses=user\@domain.com,subject="SSH:\ Invalid\ User\
Access-IPTables\ Rule\ Added"
exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP"
exec "echo $10 >> /opt/badlist.txt"

And then, the /etc/init.d/swatchrc file:

 #!/bin/sh
#kill any previously running swatch pid - there should be a check in here
kill -9 `cat /var/run/swatch.pid`
#delete existing pid file
rm -f /var/run/swatch.pid
#run swatch - watch the wrap
/usr/bin/swatch --tail-file=/var/log/auth.log
--config-file=/etc/swatch.conf --awk-field-syntax
--pid-file=/var/run/swatch.pid --tail-args='--follow=name -n 0'
--daemon

To check on how well we're doing:

iptables -L swatch_rejects



-- 
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090503/849429b2/attachment.htm

More information about the PLUG-discuss mailing list