This new method doesn't use 'iptables' but rather a script that creates a timed null-route. It's... interesting. We'll see how it pans out.
/etc/swatch.conf:
watchfor /Failed password for/
exec "/usr/local/sbin/bad_user $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15"
/etc/init.d/swatchrc:
#!/bin/sh
#
# swatchrc This shell script takes care of starting and stopping
# swatch.
#
# chkconfig: 2345 81 31
# description: Swatch is a System WATCHdog program that we are
# using here to block repeated failed ssh logins.
# processname: swatch
RETVAL=0
test -x /usr/bin/swatch || exit 0
start(){
echo "Starting swatch"
# Spawn a new swatch program
/usr/bin/swatch --config-file=/etc/swatch.conf --tail-file=/var/log/secure --pid-file=/var/run/swatch.pid --awk-field-syntax --tail-args '--follow=name -n 0' &
echo $PID
return $RETVAL
}
stop () {
# stop daemon
echo "Stopping swatch:" $PROG
kill -9 `cat /var/run/swatch.pid`
rm -f /var/run/swatch.pid
killall tail
return $RETVAL
}
restart () {
stop
start
RETVAL=$?
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
RETVAL=1
esac
exit $RETVAL
/usr/local/sbin/bad_user:
#! /bin/bash
#
IP=`echo $* | sed 's/^.* from //' | awk '{print $1}' | sed 's/::ffff://'`
ATTEMPTS=`grep $IP /var/log/secure | grep "Failed password for" | wc -l`
if [ $ATTEMPTS -gt 2 ]
then
route add $IP lo
MINUTES=`expr $ATTEMPTS - 2`
echo "route del $IP lo 2> /dev/null" | at now +$MINUTES minutes 2>&1 > /tmp/.bad_user.$$
(hostname ; echo $* ; echo "IP=$IP" ; echo "ATTEMPTS=$ATTEMPTS" ; \
echo "Blocking for $MINUTES minutes" ; \
cat /tmp/.bad_user.$$ ) | Mail -s "bad user" root
fi
rm -f /tmp/.bad_user.$$
That's the gist of it, oddly enough. A "chkconfig --add swatchrc" doesn't hurt either.
Some notes:
This older implementation was used on Debian-based rigs at the old office, and relied on using 'iptables' calls to permanently block offending addresses. Configuration details below are being kept partly for historic value and partly to provide hints on ways to improve the current running configuration.
Before setting up Swatch-based SSH login protection, we want to do a couple of things to iptables.
iptables -N swatch_rejects
iptables -I INPUT 5 -j swatch_rejects
/etc/init.d/iptables save active
We also need to turn off IPv6 on Fedora Core rigs, otherwise Swatch may have a bitch of a time parsing those log entries with all the "::ffff:" crap. (Do I need IPv6 on my server? No? Righto then.)
echo "alias net-pf-10 off" >> /etc/modprobe.conf
A reboot is required. Dammit.
Here are the configs for using Swatch on a Debian-based rig.
One, the /etc/swatch.conf file:
# Global swatch filter file
# To ignore a IP-range - this is your lifeline :)
ignore /10\.21\./
#Invalid SSH Login Attempts
watchfor /: [iI]nvalid [uU]ser/
# uncomment this to let them fail 3 times
#threshold 3:3600
mail addresses=user\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added"
exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP"
exec "echo $10 >> /opt/badlist.txt"
And then, the /etc/init.d/swatchrc file:
#!/bin/sh
#kill any previously running swatch pid - there should be a check in here
kill -9 `cat /var/run/swatch.pid`
#delete existing pid file
rm -f /var/run/swatch.pid
#run swatch - watch the wrap
/usr/bin/swatch --tail-file=/var/log/auth.log --config-file=/etc/swatch.conf --awk-field-syntax --pid-file=/var/run/swatch.pid --tail-args='--follow=name -n 0' --daemon
To check on how well we're doing:
iptables -L swatch_rejects