What's new

dropbear-offenders (bans ip that try and access ssh without proper credentials)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

swetoast

Guest
PREAMBLE: make sure you set your ban lists if you didn't then don't blame me if you get banned. Start it either via services_start or init.d file thats provided on my gitlab.

INTRODUCTION: So what it does it scans the syslog for Bad password attempts then if its found it check the whitelist for ip that are allowed to bash the ssh with bad passwords (thinking of setting a value on this in the future).

The whitelist is dead simple add your ip in a row

Code:
192.168.1.2
192.168.1.3

and the whitelist will remove these entries, if the ip is not found in the whitelist then it move to ban it from the service not from the network but the service only. And with that said, play and have fun and if you think of an improvement then please tell me here :)

https://gitlab.com/swe_toast/dropbear-offenders/tree/master
 
Hi!, could I change the port to a non standard one, or maybe use it to protect the openvpn port? thanks
 
@swetoast, why you parse all syslog twice per minute? Not sure it's optimal, you may use something like this to catch new messages only:
Code:
tail -F /tmp/syslog.log | \
   while read line ; do
       echo "do something with $line"
   done
Also, it will be event driven solution instead of time out driven.
 
PREAMBLE: make sure you set your ban lists if you didn't then don't blame me if you get banned. Start it either via services_start or init.d file thats provided on my gitlab.

INTRODUCTION: So what it does it scans the syslog for Bad password attempts then if its found it check the whitelist for ip that are allowed to bash the ssh with bad passwords (thinking of setting a value on this in the future).

The whitelist is dead simple add your ip in a row

Can your script support CIDR blocks...

For example

Code:
95.215.60.0/22            
95.163.64.0/18            
95.163.128.0/17          
95.141.47.0/24            
92.222.35.0/24            
91.224.160.0/23          
90.176.195.0/24          
89.21.208.0/20            
89.163.128.0/19          
85.93.5.0/24              
85.167.0.0/16

BTW - these are some china blocks that I have in place...
 
So @sfx2000 looked into it and its fairly simple i could set a user blacklist where they define CIDR Blocks that automatically blocks the ranges and then it keeps on scanning the syslog for the singles to ban, does that sound like a valid plan ?
 
and last but not least slack figure i might do discord too while im at it just because i can :)
 
Hey,
as far as I understand whitelisting is necessary for client IPs right? So if I'm using DHCP, I'd have to whitelist the whole DHCP range. Did I understand that correctly? Thank you.
 
So @sfx2000 looked into it and its fairly simple i could set a user blacklist where they define CIDR Blocks that automatically blocks the ranges and then it keeps on scanning the syslog for the singles to ban, does that sound like a valid plan ?

If the CIDR blocks kick in early enough, this should be really good, as one wouldn't see a member of that block in the syslog, as IPTables should reject (even though one might see it in syslog, if the regex doesn't look there...)
 
Quick tip by the way - this is something I cut/pasted from a few years back - but it's similar to UFW's connection limit command...

Code:
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG
/sbin/iptables -A LOGDROP -j DROP
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j LOGDROP

This assumes that the ssh server is running on port 22, and we look at the number of attempts coming in, and then start dropping aggressive connection attempts on that port. Once that threshold is hit, we drop the connections and insert an entry into the log - depending on distro, could be auth.log or syslog, or some other log...
 
if you put enabled at instead of use_whitelist_lan="disabled" then it safe guards your lan then if your running dhcp then its all good :)
 
This assumes that the ssh server is running on port 22, and we look at the number of attempts coming in, and then start dropping aggressive connection attempts on that port. Once that threshold is hit, we drop the connections and insert an entry into the log - depending on distro, could be auth.log or syslog, or some other log...

That feature for SSH is actually built in Asuswrt-Merlin BTW.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top