Swatch and SSH
From GreyWiki
Contents |
Initial Note
This entry is NOT superceded by the Iptables and SSH entry, which turned out to be a sure-fire method for borking the server so nobody could login or ping it or anything. Argh.
Implementations
Current Duckpond Setup
This new method doesn't use 'iptables' but rather a script that creates a timed null-route. It's... interesting. We'll see how it pans out.
- Credit where it's due: The bulk of this setup (that I've modified to fit my needs) originated here: http://home.gagme.com/greg/linux/protect-ssh.php
/etc/swatch.conf:
watchfor /Failed password for/
exec "/usr/local/sbin/bad_user $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15"
/etc/init.d/swatchrc:
#!/bin/sh
#
# swatchrc This shell script takes care of starting and stopping
# swatch.
#
# chkconfig: 2345 81 31
# description: Swatch is a System WATCHdog program that we are
# using here to block repeated failed ssh logins.
# processname: swatch
RETVAL=0
test -x /usr/bin/swatch || exit 0
start(){
echo "Starting swatch"
# Spawn a new swatch program
/usr/bin/swatch --config-file=/etc/swatch.conf --tail-file=/var/log/secure --pid-file=/var/run/swatch.pid --awk-field-syntax --tail-args '--follow=name -n 0' &
echo $PID
return $RETVAL
}
stop () {
# stop daemon
echo "Stopping swatch:" $PROG
kill -9 `cat /var/run/swatch.pid`
rm -f /var/run/swatch.pid
killall tail
return $RETVAL
}
restart () {
stop
start
RETVAL=$?
return $RETVAL
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
RETVAL=1
esac
exit $RETVAL
/usr/local/sbin/bad_user:
#! /bin/bash
#
IP=`echo $* | sed 's/^.* from //' | awk '{print $1}' | sed 's/::ffff://'`
ATTEMPTS=`grep $IP /var/log/secure | grep "Failed password for" | wc -l`
if [ $ATTEMPTS -gt 2 ]
then
route add $IP lo
MINUTES=`expr $ATTEMPTS - 2`
echo "route del $IP lo 2> /dev/null" | at now +$MINUTES minutes 2>&1 > /tmp/.bad_user.$$
(hostname ; echo $* ; echo "IP=$IP" ; echo "ATTEMPTS=$ATTEMPTS" ; \
echo "Blocking for $MINUTES minutes" ; \
cat /tmp/.bad_user.$$ ) | Mail -s "bad user" root
fi
rm -f /tmp/.bad_user.$$
That's the gist of it, oddly enough. A "chkconfig --add swatchrc" doesn't hurt either.
Some notes:
- We 'killall tail' in the 'swatchrc' file because swatch is too stupid to take care of that itself.
- Some IP address protection in '/etc/swatch.conf' isn't a bad idea. (Consider this a TODO note.)
- If 'tail' obeys its '--follow=name' parameter correctly then issuing 'swatchrc restart' shouldn't be necessary on log rotation. Time will tell.
- This configuration is a new implementation as of mid-June 2006. YMMV and so forth.
Older Setup Info
This older implementation was used on Debian-based rigs at the old office, and relied on using 'iptables' calls to permanently block offending addresses. Configuration details below are being kept partly for historic value and partly to provide hints on ways to improve the current running configuration.
Before setting up Swatch-based SSH login protection, we want to do a couple of things to iptables.
iptables -N swatch_rejects iptables -I INPUT 5 -j swatch_rejects /etc/init.d/iptables save active
We also need to turn off IPv6 on Fedora Core rigs, otherwise Swatch may have a bitch of a time parsing those log entries with all the "::ffff:" crap. (Do I need IPv6 on my server? No? Righto then.)
echo "alias net-pf-10 off" >> /etc/modprobe.conf
A reboot is required. Dammit.
Here are the configs for using Swatch on a Debian-based rig.
One, the /etc/swatch.conf file:
# Global swatch filter file # To ignore a IP-range - this is your lifeline :) ignore /10\.21\./ #Invalid SSH Login Attempts watchfor /: [iI]nvalid [uU]ser/ # uncomment this to let them fail 3 times #threshold 3:3600 mail addresses=user\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added" exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP" exec "echo $10 >> /opt/badlist.txt"
And then, the /etc/init.d/swatchrc file:
#!/bin/sh #kill any previously running swatch pid - there should be a check in here kill -9 `cat /var/run/swatch.pid` #delete existing pid file rm -f /var/run/swatch.pid #run swatch - watch the wrap /usr/bin/swatch --tail-file=/var/log/auth.log --config-file=/etc/swatch.conf --awk-field-syntax --pid-file=/var/run/swatch.pid --tail-args='--follow=name -n 0' --daemon
To check on how well we're doing:
iptables -L swatch_rejects
