This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 9b9fcaa6c7093e7d70117bd4d7230bccd9467def (commit) from 4836c57adab8defa1676a5b420f7291063f33631 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 9b9fcaa6c7093e7d70117bd4d7230bccd9467def Author: Jan Paul Tuecking earl@ipfire.org Date: Sun Oct 30 11:07:46 2011 +0100
guardian: Fixed and enhanced blocking of ssh scans.
-----------------------------------------------------------------------
Summary of changes: config/guardian/guardian.pl | 49 +++++++++++++++++++++++++++--------------- lfs/guardian | 2 +- 2 files changed, 32 insertions(+), 19 deletions(-)
Difference in files: diff --git a/config/guardian/guardian.pl b/config/guardian/guardian.pl index c7fd5f8..86d93fe 100644 --- a/config/guardian/guardian.pl +++ b/config/guardian/guardian.pl @@ -95,8 +95,17 @@ for (;;) { if (seek(ALERT2,0,1)){ while (<ALERT2>) { chop; - if ($_=~/.*sshd.*Failed password for root from.*/) { - my @array=split(/ /,$_);&checkssh ($array[11], "possible SSH-Bruteforce Attack");} + if ($_=~/.*sshd.*Failed password for .* from.*/) { + my @array=split(/ /,$_); + my $temp = ""; + if ( $array[11] eq "port" ) { + $temp = $array[10]; + } elsif ( $array[11] eq "from" ) { + $temp = $array[12]; + } else { + $temp = $array[11]; + } + &checkssh ($temp, "possible SSH-Bruteforce Attack");} } }
@@ -164,24 +173,28 @@ sub checkssh {
return 1 if ($source eq $gatewayaddr); # or our gateway
- if ($sshhash{$dest} eq "" ){ - $sshhash{$dest} = 1; + return 0 if ($sshhash{$source} > 4); # allready blocked + + if ( ($ignore{$source} == 1) ){ + &write_log("Ignoring attack because $source is in my ignore list\n"); + return 1; } - if ($sshhash{$dest} >= 3 ) { - &write_log ("source = $source, count $sshhash{$dest} - blocking for ssh attack.\n"); + + if ($sshhash{$source} == 4 ) { + &write_log ("source = $source, blocking for ssh attack.\n"); &ipchain ($source, "", $type); + $sshhash{$source} = $sshhash{$source}+1; + return 0; } -# you will see this if the destination was not in the $sshhash, and the -# packet was not ignored before the target check.. - else { - &write_log ("Odd.. source = $source, ssh count only $sshhash{$dest} - No action done.\n"); - if (defined ($opt_d)) { - foreach $key (keys %sshhash) { - &write_log ("sshhash{$key} = %sshhash{$key}\n"); - } - } - $sshhash{$key} = $sshhash{$key}+1; + + if ($sshhash{$source} eq "" ){ + $sshhash{$source} = 1; + &write_log ("SSH Attack = $source, ssh count only $sshhash{$source} - No action done.\n"); + return 0; } + + $sshhash{$source} = $sshhash{$source}+1; + &write_log ("SSH Attack = $source, ssh count only $sshhash{$source} - No action done.\n"); }
sub ipchain { @@ -221,9 +234,9 @@ sub build_ignore_hash { $count++; } close (IGNORE); - print "Loaded $count addresses from $ignorefile\n"; + &write_log("Loaded $count addresses from $ignorefile\n"); } else { - print "No ignore file was loaded!\n"; + &write_log("No ignore file was loaded!\n"); } }
diff --git a/lfs/guardian b/lfs/guardian index 251a56f..fea50db 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -30,7 +30,7 @@ THISAPP = guardian-$(VER) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 7 +PAK_VER = 8
DEPS = ""
hooks/post-receive -- IPFire 2.x development tree