HackFest Series: Swatch and SSH
Lisa Kachold
lisakachold at obnosis.com
Sun May 3 09:24:29 MST 2009
Are you running into problems with IPTABLES SSH brute force protections
dropping your shell scripted jobs and locking you out rather than blocking
ssh?
Here's a suite solution using swatch (also includes a fine IP exclusion and
bad guy list to have swatch still work with IPTABLES at the bottom).
Full article:
http://greyduck.net/greywiki/Swatch_and_SSH
Of course you need to get swatch:
# yum install swatch
# apt-get install swatch
This new method doesn't use 'iptables' but rather a script that creates a
timed null-route. It's... interesting. We'll see how it pans out.
- Credit where it's due: The bulk of this setup originated here:
http://home.gagme.com/greg/linux/protect-ssh.php
/etc/swatch.conf:
watchfor /Failed password for/
exec "/usr/local/sbin/bad_user $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11
$12 $13 $14 $15"
/etc/init.d/swatchrc:
#!/bin/sh
#
# swatchrc This shell script takes care of starting and stopping
# swatch.
#
# chkconfig: 2345 81 31
# description: Swatch is a System WATCHdog program that we are
# using here to block repeated failed ssh logins.
# processname: swatch
RETVAL=0
test -x /usr/bin/swatch || exit 0
start(){
echo "Starting swatch"
# Spawn a new swatch program
/usr/bin/swatch --config-file=/etc/swatch.conf
--tail-file=/var/log/secure --pid-file=/var/run/swatch.pid
--awk-field-syntax --tail-args '--follow=name -n 0' &
echo $PID
return $RETVAL
}
stop () {
# stop daemon
echo "Stopping swatch:" $PROG
kill -9 `cat /var/run/swatch.pid`
rm -f /var/run/swatch.pid
killall tail
return $RETVAL
}
restart () {
stop
start
RETVAL=$?
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
RETVAL=1
esac
exit $RETVAL
/usr/local/sbin/bad_user:
#! /bin/bash
#
IP=`echo $* | sed 's/^.* from //' | awk '{print $1}' | sed 's/::ffff://'`
ATTEMPTS=`grep $IP /var/log/secure | grep "Failed password for" | wc -l`
if [ $ATTEMPTS -gt 2 ]
then
route add $IP lo
MINUTES=`expr $ATTEMPTS - 2`
echo "route del $IP lo 2> /dev/null" | at now +$MINUTES minutes
2>&1 > /tmp/.bad_user.$$
(hostname ; echo $* ; echo "IP=$IP" ; echo "ATTEMPTS=$ATTEMPTS" ; \
echo "Blocking for $MINUTES minutes" ; \
cat /tmp/.bad_user.$$ ) | Mail -s "bad user" root
fi
rm -f /tmp/.bad_user.$$
That's the gist of it, oddly enough. A "chkconfig --add swatchrc" doesn't
hurt either.
Some notes:
- We 'killall tail' in the 'swatchrc' file because swatch is too stupid
to take care of that itself.
- Some IP address protection in '/etc/swatch.conf' isn't a bad idea.
(Consider this a TODO note.)
- If 'tail' obeys its '--follow=name' parameter correctly then issuing
'swatchrc restart' shouldn't be necessary on log rotation. Time will tell.
- This configuration is a new implementation as of mid-June 2006. YMMV
and so forth.
Older Setup Info
This older implementation was used on Debian-based rigs at the old office,
and relied on using 'iptables' calls to permanently block offending
addresses. Configuration details below are being kept partly for historic
value and partly to provide hints on ways to improve the current running
configuration.
Before setting up Swatch-based SSH login protection, we want to do a couple
of things to iptables.
iptables -N swatch_rejects
iptables -I INPUT 5 -j swatch_rejects
/etc/init.d/iptables save active
We also need to turn off IPv6 on Fedora Core rigs, otherwise Swatch may have
a bitch of a time parsing those log entries with all the "::ffff:" crap. (Do
I need IPv6 on my server? No? Righto then.)
echo "alias net-pf-10 off" >> /etc/modprobe.conf
A reboot is required. Dammit.
Here are the configs for using Swatch on a Debian-based rig.
One, the /etc/swatch.conf file:
# Global swatch filter file
# To ignore a IP-range - this is your lifeline :)
ignore /10\.21\./
#Invalid SSH Login Attempts
watchfor /: [iI]nvalid [uU]ser/
# uncomment this to let them fail 3 times
#threshold 3:3600
mail addresses=user\@domain.com,subject="SSH:\ Invalid\ User\
Access-IPTables\ Rule\ Added"
exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP"
exec "echo $10 >> /opt/badlist.txt"
And then, the /etc/init.d/swatchrc file:
#!/bin/sh
#kill any previously running swatch pid - there should be a check in here
kill -9 `cat /var/run/swatch.pid`
#delete existing pid file
rm -f /var/run/swatch.pid
#run swatch - watch the wrap
/usr/bin/swatch --tail-file=/var/log/auth.log
--config-file=/etc/swatch.conf --awk-field-syntax
--pid-file=/var/run/swatch.pid --tail-args='--follow=name -n 0'
--daemon
To check on how well we're doing:
iptables -L swatch_rejects
--
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090503/849429b2/attachment.htm
More information about the PLUG-discuss
mailing list