Feb 5, 2010 16
Antisipasi SSH Brute Force Attack
Sebenarnya saya sudah malas menulis tutorial dan sejenisnya, tapi karena belakangan ini ada report dari temen temen masalah sering muncul log failed login ke ssh, yang kebanyakan dari IP luar. Ya, ini pasti brute force attack.
Setelah googling kesana kesini, akhrinya dapat cara sederhana untuk mengantisipasi serangan brute force SSH
#!/bin/bash
#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#Chad
LOGFILE=”/var/log/secure”
HOSTSDENY=”/etc/hosts.deny”
BADCOUNT=”5″
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep “Invalid user”| awk ‘{print $NF}’|sort|uniq -c|sort -n|sed “s/[[:space:]]*//” | while
read i
do
# read number of failed attempts
count=`echo $i | cut -d” ” -f1`
# read ip address from failed attempt
ip=`echo $i | cut -d” ” -f2`
#check hostdeny file to see if IP already exist
already=`grep $ip $HOSTSDENY | grep sshd`
#if IP does not exist add it to hostdeny file
if [ -z "$already" ]
then
if [ "$count" -ge "$BADCOUNT" ]
then
echo “sshd: “$ip >> $HOSTSDENY
fi
fi
done