dropbear-offenders (bans ip that try and access ssh without proper credentials)

[swetoast]

PREAMBLE: make sure you set your ban lists if you didn't then don't blame me if you get banned. Start it either via services_start or init.d file thats provided on my gitlab.

INTRODUCTION: So what it does it scans the syslog for Bad password attempts then if its found it check the whitelist for ip that are allowed to bash the ssh with bad passwords (thinking of setting a value on this in the future).

The whitelist is dead simple add your ip in a row

192.168.1.2
192.168.1.3

and the whitelist will remove these entries, if the ip is not found in the whitelist then it move to ban it from the service not from the network but the service only. And with that said, play and have fun and if you think of an improvement then please tell me here

https://gitlab.com/swe_toast/dropbear-offenders/tree/master

 

[shooter40sw]

Hi!, could I change the port to a non standard one, or maybe use it to protect the openvpn port? thanks

 

[swetoast]

dunno if openvpn shows up but if it does i can update and include it

 

[ryzhov_al]

@swetoast, why you parse all syslog twice per minute? Not sure it's optimal, you may use something like this to catch new messages only:

tail -F /tmp/syslog.log | \
   while read line ; do
       echo "do something with $line"
   done

Also, it will be event driven solution instead of time out driven.

 

[swetoast]

sure, just a little script i messed around with but that seems way better for it tnx

 

[ryzhov_al]

As for me, I forced scanners who knocks to TCP22 port to hang there for eternity, while posting their IP addresses on Twitter
Now I'm tired to do that.

 

[swetoast]

while posting their IP addresses on Twitter
Now I'm tired to do that.

haha nice one

 

[sfx2000]

PREAMBLE: make sure you set your ban lists if you didn't then don't blame me if you get banned. Start it either via services_start or init.d file thats provided on my gitlab.

INTRODUCTION: So what it does it scans the syslog for Bad password attempts then if its found it check the whitelist for ip that are allowed to bash the ssh with bad passwords (thinking of setting a value on this in the future).

The whitelist is dead simple add your ip in a row

Can your script support CIDR blocks...

For example

95.215.60.0/22            
95.163.64.0/18            
95.163.128.0/17          
95.141.47.0/24            
92.222.35.0/24            
91.224.160.0/23          
90.176.195.0/24          
89.21.208.0/20            
89.163.128.0/19          
85.93.5.0/24              
85.167.0.0/16

BTW - these are some china blocks that I have in place...

 

[swetoast]

could make that happen, if there is a huge demand for it

 

[swetoast]

So @sfx2000 looked into it and its fairly simple i could set a user blacklist where they define CIDR Blocks that automatically blocks the ranges and then it keeps on scanning the syslog for the singles to ban, does that sound like a valid plan ?

 

[swetoast]

added pushbullet notifications so that the phone/computer is notified upon a ban

 

[swetoast]

CIDR Blocks added as per request

 

[swetoast]

added telegram support also for shirt n giggles

 

[swetoast]

and last but not least slack figure i might do discord too while im at it just because i can

 

[mrchow]

Hey,
as far as I understand whitelisting is necessary for client IPs right? So if I'm using DHCP, I'd have to whitelist the whole DHCP range. Did I understand that correctly? Thank you.

 

[sfx2000]

So @sfx2000 looked into it and its fairly simple i could set a user blacklist where they define CIDR Blocks that automatically blocks the ranges and then it keeps on scanning the syslog for the singles to ban, does that sound like a valid plan ?

If the CIDR blocks kick in early enough, this should be really good, as one wouldn't see a member of that block in the syslog, as IPTables should reject (even though one might see it in syslog, if the regex doesn't look there...)

 

[sfx2000]

Quick tip by the way - this is something I cut/pasted from a few years back - but it's similar to UFW's connection limit command...

/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG
/sbin/iptables -A LOGDROP -j DROP
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j LOGDROP

This assumes that the ssh server is running on port 22, and we look at the number of attempts coming in, and then start dropping aggressive connection attempts on that port. Once that threshold is hit, we drop the connections and insert an entry into the log - depending on distro, could be auth.log or syslog, or some other log...

 

[swetoast]

if you put enabled at instead of use_whitelist_lan="disabled" then it safe guards your lan then if your running dhcp then its all good

 

[RMerlin]

This assumes that the ssh server is running on port 22, and we look at the number of attempts coming in, and then start dropping aggressive connection attempts on that port. Once that threshold is hit, we drop the connections and insert an entry into the log - depending on distro, could be auth.log or syslog, or some other log...

That feature for SSH is actually built in Asuswrt-Merlin BTW.

 

[redhat27]

As for me, I forced scanners who knocks to TCP22 port to hang there for eternity, while posting their IP addresses on Twitter
Now I'm tired to do that.

Very nice! How do I compile a mips binary for the ssh-bouncer? I have a RT-AC66U