Atualize o hosts.deny para bloquear tentativas de brute force

2 Set

Ai embaixo um simples script para você bloquear hosts tentando brute force no seu SSH, muitas das vezes pode sanar o problema de ter uma porta diferente pro ssh 🙂

O script varre o /var/log/messages para detectar tentativas de invasão, pega os hosts, e adiciona no /etc/hosts.deny

Código:

#!/bin/bash

cp /etc/hosts.deny /var/tmp/hosts.deny

# Jun  8 00:39:43 mintaka sshd[23332]: User root from 222.77.183.51 not allowed because not listed in AllowUsers
egrep "$(date +%b) ($(date +%d)|$(date +%e)).*User .* from [a-z0-9.]* not allowed because not listed in AllowUsers" /var/log/messages | sed -e 's/.* from ([a-z0-9.]*) .*/1/' | sort | uniq | sed -e 's/^/ALL:/' > /etc/hosts.deny ;
#Jun  8 11:54:33 mintaka sshd[31221]: Invalid user bob from 62.204.145.224
egrep "$(date +%b) ($(date +%d)|$(date +%e)).*Invalid user .* from [a-z0-9.]*$" /var/log/messages | sed -e 's/.*Invalid user .* from//' | sort | uniq | sed -e 's/^/ALL:/' >> /etc/hosts.deny ;

diff -u /etc/hosts.deny /var/tmp/hosts.deny &>/dev/null || (echo "** hosts.deny updated **" ; cat /etc/hosts.deny)

Script funcionando:

Sep 2 16:55:02 mintaka -- MARK --
Sep 2 13:58:10 mintaka sshd[20790]: Did not receive identification string from 189.2.118.72
Sep 2 13:58:34 mintaka sshd[20795]: Invalid user suporte from 189.2.118.72
# Tentativa de brute force
Sep 2 13:58:41 mintaka sshd[20798]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:43 mintaka sshd[20800]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:46 mintaka sshd[20802]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:49 mintaka sshd[20804]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:51 mintaka sshd[20806]: Invalid user suporte from 189.2.118.72
Sep 2 13:59:24 mintaka sshd[20817]: Did not receive identification string from 189.2.118.72
# Script roda
** hosts.deny updated **
ALL:74.221.239.100
ALL: 189.2.118.72
ALL: 200.27.79.101
ALL: 74.221.239.100
# E os hosts agora estão bloqueados
Sep 2 14:00:09 mintaka sshd[20826]: Invalid user teste2008 from 189.2.118.72
Sep 2 14:00:10 mintaka sshd[20864]: refused connect from 189.2.118.72 (189.2.118.72)

Eu rodo em minha máquina a cada 2 minutos 🙂

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

19 Responses to “Atualize o hosts.deny para bloquear tentativas de brute force”

  1. kate middleton bride figurine abril 21, 2012 at %H:%M 10Sat, 21 Apr 2012 22:55:01 +000001. #

    Hi, Neat post. There’s a problem with your web site in internet explorer, might test this¡K IE still is the marketplace leader and a large component to other folks will omit your great writing because of this problem.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  2. motorcycle transport abril 20, 2012 at %H:%M 10Fri, 20 Apr 2012 10:56:43 +000043. #

    Fantastic post I am just taking in on motorcycles and this post really helped me out! I really appreciate the effort.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  3. Sue Hochstetler abril 19, 2012 at %H:%M 07Thu, 19 Apr 2012 07:11:06 +000006. #

    The actual clearness inside your post is simply spectacular and that i can assume you are an expert on this subject.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  4. opalanie natryskowe abril 18, 2012 at %H:%M 10Wed, 18 Apr 2012 22:38:32 +000032. #

    Sorry for the huge review, but I’m really loving the new Zune, and hope this, as well as the excellent reviews some other people have written, will help you decide if it’s the right choice for you.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  5. download here abril 18, 2012 at %H:%M 09Wed, 18 Apr 2012 09:12:45 +000045. #

    You really make it appear so easy along with your presentation however I find this topic to be really one thing that I think I would by no means understand. It seems too complex and very vast for me. I’m taking a look forward to your subsequent publish, I’ll attempt to get the hold of it!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  6. Wendie Raju abril 11, 2012 at %H:%M 05Wed, 11 Apr 2012 05:43:07 +000007. #

    Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You definitely know what youre talking about, why waste your intelligence on just posting videos to your weblog when you could be giving us something enlightening to read?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  7. Houses to let in Newcastle abril 10, 2012 at %H:%M 04Tue, 10 Apr 2012 16:53:58 +000058. #

    http://propertiestolet.insanejournal.com/data/rss

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  8. Biuro Podróży abril 6, 2012 at %H:%M 11Fri, 06 Apr 2012 23:42:40 +000040. #

    Wonderful work! That is the kind of information that are meant to be shared around the internet. Disgrace on Google for not positioning this publish upper! Come on over and discuss with my website . Thank you =)

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  9. Hunter Schwebach abril 2, 2012 at %H:%M 01Mon, 02 Apr 2012 13:43:23 +000023. #

    This is a really good site post, im delighted I came across it. Ill be back down the track to check out other posts that

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  10. Latonya Hinde março 30, 2012 at %H:%M 07Fri, 30 Mar 2012 19:25:38 +000038. #

    I think that what you wrote made a great deal of sense. However, consider this, suppose you typed a catchier post title? I am not saying your content is not solid., however what if you added something to possibly get a person’s attention? I mean Atualize o hosts.deny para bloquear tentativas de brute force | Dev With Passion is a little boring. You ought to look at Yahoo’s home page and see how they create news headlines to get viewers to open the links. You might try adding a video or a pic or two to grab readers interested about what you’ve got to say. Just my opinion, it might make your posts a little livelier.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  11. Biuro Podrozy março 29, 2012 at %H:%M 03Thu, 29 Mar 2012 15:12:48 +000048. #

    I really like what you guys are up too. This kind of clever work and coverage! Keep up the excellent works guys I’ve included you guys to my own blogroll.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  12. Ada Cornwell março 26, 2012 at %H:%M 04Mon, 26 Mar 2012 16:50:46 +000046. #

    […]what follows are a handful of urls to webpages we connect to as we feel these are well worth visiting[…]

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  13. http://diamondweddingband.ca março 19, 2012 at %H:%M 12Mon, 19 Mar 2012 00:11:03 +000003. #

    What i do not realize is if truth be told how you’re not actually a lot more neatly-favored than you may be now. You are very intelligent. You understand therefore considerably in relation to this subject, produced me in my opinion imagine it from numerous various angles. Its like women and men are not fascinated except it’s one thing to accomplish with Girl gaga! Your personal stuffs great. Always care for it up!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  14. Gama março 12, 2010 at %H:%M 11Fri, 12 Mar 2010 23:46:53 +000053. #

    Impressionante!
    Estava justamente hoje de manhã pensando em como fazer um script desses para detecção de invasões via SSH e acho isso aqui.
    Muito bom!
    Com certeza vou ter de melhorar meu know-how de egrep e sed para fazer algo parecido.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  15. bimo setembro 14, 2009 at %H:%M 06Mon, 14 Sep 2009 06:09:52 +000052. #

    Hello…the script is not working for me…

    Output is gt, no such command..

    Where i am doing wrong?

    Thanks..

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Felipe 'chronos' Prenholato setembro 14, 2009 at %H:%M 08Mon, 14 Sep 2009 08:45:03 +000003. #

      Hum… maybe your distro and/or version of sshd output wrong entries in different format than my. Probabily you need to change regex of egrep :).

      Maybe is better idea check for other scripts/softs that do same thing, check links of comments 😉

      VA:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  16. Luiz Agostinho (fl0cker) setembro 4, 2009 at %H:%M 02Fri, 04 Sep 2009 14:02:00 +000000. #

    Fala Dr. Chronos!

    Eu uso uma solução bastante parecida que é o denyhosts, funciona no mesmo estilo!

    Abraço!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Leave a Reply