Ubuntu Forums ubuntu.com - launchpad.net - ubuntu help  

Go Back   Ubuntu Forums > The Ubuntu Forum Community > Other Community Discussions > Tutorials & Tips
Reload this Page HOWTO: Automatically block SSHD/PROFTPD Attacker
Register Reset Password Forum Help Forum Council Search Today's Posts Mark Forums Read

Ubuntu 9.10 is out!!!

When downloading Ubuntu 9.10 please consider using bittorrent to get your copy of Ubuntu.

The Ubuntu Developers Summit for Lucid Lynx will be held the week of 16-Nov-2009 till 20-Nov-2009 in Dallas, TX USA. Visit the the Ubuntu wiki for more information about UDS and how to participate remotely.

Tutorials & Tips
The place to find Ubuntu related Tips & Tricks.

 
Thread Tools Display Modes
Old November 7th, 2005   #1
pinoyskull
Dipped in Ubuntu
 
pinoyskull's Avatar
 
Join Date: Sep 2005
Location: cloud
Beans: 567
Send a message via ICQ to pinoyskull Send a message via AIM to pinoyskull Send a message via MSN to pinoyskull Send a message via Yahoo to pinoyskull
HOWTO: Automatically block SSHD/PROFTPD Attacker
Have you checked your auth.log?

Does it contain entries similar to these?
Code:
Nov  4 18:40:28 localhost sshd[12424]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:28 localhost sshd[12424]: error: Could not get shadow information for NOUSER
Nov  4 18:40:28 localhost sshd[12424]: Failed password for invalid user root from 85.214.16.171 port 45975 ssh2
Nov  4 18:40:30 localhost sshd[12429]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:30 localhost sshd[12429]: error: Could not get shadow information for NOUSER
Nov  4 18:40:30 localhost sshd[12429]: Failed password for invalid user root from 85.214.16.171 port 46204 ssh2
Nov  4 18:40:33 localhost sshd[12431]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:33 localhost sshd[12431]: error: Could not get shadow information for NOUSER
Nov  4 18:40:33 localhost sshd[12431]: Failed password for invalid user root from 85.214.16.171 port 46404 ssh2
Nov  4 18:40:36 localhost sshd[12434]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:36 localhost sshd[12434]: error: Could not get shadow information for NOUSER
Nov  4 18:40:36 localhost sshd[12434]: Failed password for invalid user root from 85.214.16.171 port 46607 ssh2
Nov  4 18:40:39 localhost sshd[12436]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:39 localhost sshd[12436]: error: Could not get shadow information for NOUSER
Nov  4 18:40:39 localhost sshd[12436]: Failed password for invalid user root from 85.214.16.171 port 46794 ssh2
Nov  4 18:40:41 localhost sshd[12441]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:41 localhost sshd[12441]: error: Could not get shadow information for NOUSER
Nov  4 18:40:41 localhost sshd[12441]: Failed password for invalid user root from 85.214.16.171 port 47006 ssh2
Nov  4 18:40:44 localhost sshd[12443]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:44 localhost sshd[12443]: error: Could not get shadow information for NOUSER
Nov  4 18:40:44 localhost sshd[12443]: Failed password for invalid user root from 85.214.16.171 port 47194 ssh2
Nov  4 18:40:47 localhost sshd[12446]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:47 localhost sshd[12446]: error: Could not get shadow information for NOUSER
Nov  4 18:40:47 localhost sshd[12446]: Failed password for invalid user root from 85.214.16.171 port 47402 ssh2
Nov  4 18:40:50 localhost sshd[12451]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:50 localhost sshd[12451]: error: Could not get shadow information for NOUSER
You can automatically block these attackers using BLOCKHOSTS (http://freshmeat.net/redir/blockhost...age/blockhosts)

INSTALLATION

1.) Install Dependencies
Code:
apt-get install python-egenix-mxtools python2.4-dev
2.) Download Blockhosts source
Code:
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-1.0.3.tar.gz
3.) Extract it to a temporary directory
Code:
tar xzvf BlockHosts-1.0.3.tar.gz
4.) Install it
Code:
cd BlockHosts-1.0.3
python setup.py install --force
CONFIGURATION

1.) Edit /etc/blockhosts.cfg, search for
Code:
#"LOGFILES": ( "/var/log/auth.og", ),
and uncomment it
Code:
"LOGFILES": ( "/var/log/auth.log", ),
2.) Edit /etc/hosts.allow, it should contain entries similar to these
Code:
sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow

# permanent whitelist addresses - these should always be allowed access

# permanent blacklist addresses - these should always be denied access

ALL: 10.  : deny
ALL: 192. : deny
ALL: 172. : deny

# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)

#---- BlockHosts Additions
#---- BlockHosts Additions
3.) DONE

Note: blockhosts.py will automatically executed everytime sshd/proftpd service is called
__________________
I want to be a Puppet Master
pinoyskull is offline   Reply With Quote

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 09:29 PM.

Ubuntu Forums - Archive - Top

vBulletin ©2000 - 2009, Jelsoft Enterprises Ltd. Ubuntu Logo, Ubuntu and Canonical © Canonical Ltd. Tango Icons © Tango Desktop Project. lingonberry