2009/11/28

SSHBlock - 阻擋 ssh 暴力攻擊

就像有手機就會接到詐騙電話一樣,只要 server 連上網路,就會有人想 try 密碼。
SSHBlock 是藉由監控 ssh 記錄檔,將惡意的來源 IP 加到 TCP Wrappers 設定檔中以進行封鎖。

SSHBlock 的 ports 路徑為 security/sshblock/ ,其中的套件說明如下:

SSHBlock is a daemon to monitor a syslog log for break-in attempts using
SSH, and to automatically block bad hosts by adding lines to /etc/hosts.allow
(TCP Wrappers). Several thresholds are pre-defined, to be able to block those
trying many attempts within a longer or shorter period.

WWW: http://www.bsdconsulting.no/tools/


下指令 make install clean 安裝之後,出現後續的操作說明:

To enable and use the sshblock daemon, use the following in /etc/rc.conf or
/etc/rc.conf.local:

sshblock_enable="YES"

To set flags/options (optional), add:

sshblock_flags=""

See /usr/local/sbin/sshblock -h for possible command line options.

Use /usr/local/etc/rc.d/sshblock to stop and start it.


sshblock 語法說明如下:

Usage: sshblock [ -b <blockfile> ] [ -l <logfile> ] [ -t <trigger list> ]

Trigger list is a list of seconds:attempts threshold pairs for determining
whether a host should be blocked

Default blockfile: /etc/hosts.allow
Default logfile: /var/log/auth.log


因此利用 ports 安裝完成之後,可以執行以下指令啟動 sshblock

/usr/local/etc/rc.d/sshblock start


若要系統開機時自動啟動 sshblcok,則在 /etc/rc.conf 加入

sshblock_enable="YES"



若要自行設定封鎖條件,可建立一個 /usr/local/etc/sshblock.conf,其中每一組封鎖條件以冒號 : 分隔秒數與次數,每一組設定以空白分隔,例如預設的封鎖條件為:

15:5 60:10 3600:20 86400:30

意指 15 秒內錯誤 5 次或 60 秒內錯誤 10 次或 3600 秒內錯誤 20 次或 86400 秒內錯誤 30 次就會被封鎖。
然後在 /etc/rc.conf 加入此設定以便系統開機時自動載入:

sshblock_flags="-t /usr/local/etc/sshblock.conf"


注意事項:
由於 SSHBlock 需透過 TCP Wrappers 進行封鎖,因此必須啟用 inetd 才能達到封鎖的效果。

沒有留言:

張貼留言