16 May 2006

My python script for ssh blacklisting

I recently started seeing some people attempt to brute-force their way into my SSH daemon. This is not really a risk, because only one account is accessible from the outside and its password is good enough, but I still didn't see why this should be allowed. So I installed BlinkEye's blacklist.py to stop it. This worked fine in practice, but I didn't see why it would be necessary to poll for the log lines and also why the dependancy on logtail was necessary. Especially since syslog-ng has this wonderful feature where you have a program as destination, and syslog-ng feeds the output line-by-line to the program. So I wrote ssh-blacklist.py.

Some simple performance tests very similar to BlinkEye's seem to show that it's in the same order of magnitude of speed as the original; it read and parsed the pre-generated log-file (line by line!) in 15 seconds (wall time) on a Pentium IV 3 Ghz. I did cheat a bit here, because I ran it as non-root and changed running the iptables commands into just printing the commands. But I guess this does not impact performance all that much; they were printed and rendered to an xterm, so that's not so lightweight either.

In order to use the script, you need to be running syslog-ng. Add a section similar to the following to your syslog-ng.conf:

# ssh blacklisting program
# this will open the given program and feed it the given lines one by one
destination dpr_blacklist {program ("/usr/local/bin/ssh-blacklist.py"); };

log {
source (s_all);
filter (f_auth);
destination (dpr_blacklist);

Here, f_auth is a filter that filters out anything but the auth and authpriv facilities. It is standard on Debian.


  • Change the commands.* stuff into os.spawn*. We don't need the output of most commands anyway.
  • Make the position at which we jump from the input chain to our custom chain a configurable variable.

You can view the script here.


Post a Comment

Links to this post:

Create a Link

<< Home