Ubuntu Forums ubuntu.com - launchpad.net - ubuntu help  

Go Back   Ubuntu Forums > The Ubuntu Forum Community > Other Community Discussions > Tutorials & Tips
Reload this Page HOWTO: Automatically block SSHD/PROFTPD Attacker
Register Reset Password Forum Help Forum Council Search Today's Posts Mark Forums Read

Tutorials & Tips
The place to find Ubuntu related Tips & Tricks.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old November 7th, 2005   #1
pinoyskull
Dipped in Ubuntu
 
pinoyskull's Avatar
 
Join Date: Sep 2005
Location: cloud
Beans: 596
Send a message via ICQ to pinoyskull Send a message via AIM to pinoyskull Send a message via MSN to pinoyskull Send a message via Yahoo to pinoyskull
HOWTO: Automatically block SSHD/PROFTPD Attacker
Have you checked your auth.log?

Does it contain entries similar to these?
Code:
Nov  4 18:40:28 localhost sshd[12424]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:28 localhost sshd[12424]: error: Could not get shadow information for NOUSER
Nov  4 18:40:28 localhost sshd[12424]: Failed password for invalid user root from 85.214.16.171 port 45975 ssh2
Nov  4 18:40:30 localhost sshd[12429]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:30 localhost sshd[12429]: error: Could not get shadow information for NOUSER
Nov  4 18:40:30 localhost sshd[12429]: Failed password for invalid user root from 85.214.16.171 port 46204 ssh2
Nov  4 18:40:33 localhost sshd[12431]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:33 localhost sshd[12431]: error: Could not get shadow information for NOUSER
Nov  4 18:40:33 localhost sshd[12431]: Failed password for invalid user root from 85.214.16.171 port 46404 ssh2
Nov  4 18:40:36 localhost sshd[12434]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:36 localhost sshd[12434]: error: Could not get shadow information for NOUSER
Nov  4 18:40:36 localhost sshd[12434]: Failed password for invalid user root from 85.214.16.171 port 46607 ssh2
Nov  4 18:40:39 localhost sshd[12436]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:39 localhost sshd[12436]: error: Could not get shadow information for NOUSER
Nov  4 18:40:39 localhost sshd[12436]: Failed password for invalid user root from 85.214.16.171 port 46794 ssh2
Nov  4 18:40:41 localhost sshd[12441]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:41 localhost sshd[12441]: error: Could not get shadow information for NOUSER
Nov  4 18:40:41 localhost sshd[12441]: Failed password for invalid user root from 85.214.16.171 port 47006 ssh2
Nov  4 18:40:44 localhost sshd[12443]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:44 localhost sshd[12443]: error: Could not get shadow information for NOUSER
Nov  4 18:40:44 localhost sshd[12443]: Failed password for invalid user root from 85.214.16.171 port 47194 ssh2
Nov  4 18:40:47 localhost sshd[12446]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:47 localhost sshd[12446]: error: Could not get shadow information for NOUSER
Nov  4 18:40:47 localhost sshd[12446]: Failed password for invalid user root from 85.214.16.171 port 47402 ssh2
Nov  4 18:40:50 localhost sshd[12451]: User root from cassyopaya.de not allowed because not listed in AllowUsers
Nov  4 18:40:50 localhost sshd[12451]: error: Could not get shadow information for NOUSER
You can automatically block these attackers using BLOCKHOSTS (http://freshmeat.net/redir/blockhost...age/blockhosts)

INSTALLATION

1.) Install Dependencies
Code:
apt-get install python-egenix-mxtools python2.4-dev
2.) Download Blockhosts source
Code:
wget http://www.aczoom.com/tools/blockhosts/BlockHosts-1.0.3.tar.gz
3.) Extract it to a temporary directory
Code:
tar xzvf BlockHosts-1.0.3.tar.gz
4.) Install it
Code:
cd BlockHosts-1.0.3
python setup.py install --force
CONFIGURATION

1.) Edit /etc/blockhosts.cfg, search for
Code:
#"LOGFILES": ( "/var/log/auth.og", ),
and uncomment it
Code:
"LOGFILES": ( "/var/log/auth.log", ),
2.) Edit /etc/hosts.allow, it should contain entries similar to these
Code:
sshd, proftpd, in.proftpd: ALL: spawn (/usr/bin/blockhosts.py --verbose --echo "%c-%s" >> /var/log/blockhosts.log 2>&1 )& : allow

# permanent whitelist addresses - these should always be allowed access

# permanent blacklist addresses - these should always be denied access

ALL: 10.  : deny
ALL: 192. : deny
ALL: 172. : deny

# ----------------------------------------
# next section is the blockhosts section - it will add/delete entries in
# between the two marker lines (#---- BlockHosts Additions)

#---- BlockHosts Additions
#---- BlockHosts Additions
3.) DONE

Note: blockhosts.py will automatically executed everytime sshd/proftpd service is called
__________________
I want to be a Puppet Master
pinoyskull is offline   Reply With Quote
 

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 04:12 AM.

Ubuntu Forums - Archive - Top

vBulletin ©2000 - 2010, Jelsoft Enterprises Ltd. Ubuntu Logo, Ubuntu and Canonical © Canonical Ltd. Tango Icons © Tango Desktop Project. lingonberry