sshcheck.php - Blocking SSH bruteforce attempts against client VPS containers

Damian

Not sure if it's limited only to us, but we have a problem with having our customer's VPSes sshscanned for weak passwords.

So I have developed a simple PHP script to parse the output of netstat -n | grep :22, then counts how many IP addresses the remote IP is attempting to connect to, then add iptables rules when it determines an attack is happening. It will only add an iptable rule if a DROP rule for the IP does not exist already.

As we only run OpenVZ, it has only been tested on OpenVZ nodes. I am curious for feedback on if it works for Xen or KVM nodes.

It is being released to the community. You can find it here: http://pastebin.com/kfWaJa9q

Install it by writing it anywhere on your node, (I have mine in /sbin), editing the variables at the top of the script, then adding a crontab entry for root. This will run it every 5 minutes:

*/5 * * * *  /usr/bin/php /sbin/sshcheck.php

(update to reflect your php binary, and where you put the script)

You will get reports in your email like this:

Hello, this is sshcheck.php running on sapphire.ipxcore.com

Current time: Thu, 09 Aug 12 19:33:49 -0600

Adding iptables DROP rule. Remove it with:
iptables -D FORWARD -s 218.203.165.153 -j DROP

IP 218.203.165.153 is involved in a brute force attack against the
following IPs:

Count: 13
1.2.3.157:22
1.2.3.136:22
1.2.3.108:22
1.2.3.31:22
1.2.3.201:22
1.2.3.32:22
1.2.3.195:22
1.2.3.11:22
1.2.3.32:22
1.2.3.180:22
1.2.3.103:22
1.2.3.108:22
1.2.3.122:22

Tested with PHP 5.1.6 (Centos 5), PHP 5.3.3 (Centos 6), PHP 5.3.3-7+squeeze13 (Debian Squeeze).

Upcoming/to-do/V2.0: -check that destination IPs are unique -add method for iptables drop for a specified timeframe only -proper source code commenting

TheHackBox

I think hosts need to start doing something like this.

Taylor

I feel like you are being a managed provider sometimes :P

Damian

@Taylor said: I feel like you are being a managed provider sometimes :P

:P

Having script kiddies get into someone's poorly-passworded VPS tends to wreak havoc in various ways. This is just one way of plugging a hole.

fan

Also interested in how it works with Xen and KVM, great contribution to the community!

Taz

Great tool :)

Taz

Question /suggestion /note : this script by default will only work for port 22. Is there any way to make it dynamic ? Something like (since this is ovz) find sshd _config, get the SSH port info and dynamically update your script?

Damian

@NinjaHawk said: Question /suggestion /note : this script by default will only work for port 22. Is there any way to make it dynamic ? Something like (since this is ovz) find sshd _config, get the SSH port info and dynamically update your script?

Sure, I suppose you could. You'd need to look in every /vz/private/*/etc/sshd_config, and that runs into privacy concerns.

Since there are so many IP ranges out there with active servers on them, script kiddies aren't going to bother port-scanning an IP range to find out where the active SSH ports are, since there are so many easier targets they can move on to.

Therefore, if a client changes their port away from the default, then they've pretty much solved the problem themselves anyway.

William

@Damian said: I am curious for feedback on if it works for Xen or KVM nodes.

Since KVM is bridged: No.

u4ia

@Damian said: Therefore, if a client changes their port away from the default, then they've pretty much solved the problem themselves anyway.

+1 It really works. Some call it security by obscurity, but I call it much smaller log files :)

bamn

What about setting up a sensor that submits IP addresses to the node to block it from the customers?

Jack

@bamn said: What about setting up a sensor that submits IP addresses to the node to block it from the customers?

I think it already does that?

It adds an iptables rule if that's what you mean?

Damian

@u4ia said: It really works. Some call it security by obscurity, but I call it much smaller log files :)

Mmm hmm, well put in much fewer words :)

@bamn said: What about setting up a sensor that submits IP addresses to the node to block it from the customers?

I don't understand what you're asking? Do you mean something the customer sets up inside their VPS?

Taz

@Damian Given proper credit, can I post this on my Linux script archive that I am working on?

Randy

Thanks<3

Taz

@Randy This is a nix script. Nothing for you ;)

Randy

Cant i say thank you on behalf of everyone<3

ssdvm

Very interesting idea, thanks for sharing.

Damian

@NinjaHawk said: Given proper credit, can I post this on my Linux script archive that I am working on?

Sure, though i'd really recommend a "go here for latest version" link or something. This is version 1, it's missing some things like error checking and code comments...

DanielM

My passwords are that secure i dont know them lol.

dmmcintyre3

@DanielM said: My passwords are that secure i dont know them lol.

Same here. They look like this:

-----BEGIN DSA PRIVATE KEY-----
MIIBvAIBAAKBgQDmndgL5WhGdW7XV87FEJodYGfDkWo1QHhuLYAG6RwdPInTf9eK
S69CQ4pDRUOrVL2eb02GEa8VJrGDVpMS57kLe/j343ayRFrE5DKT97zTr9LIAkP0
W7i3WsX713ZUvgqGtp9Kavyy2XlMa7C5Rr/FJgtEcUdR8wnG1+8VQtq/hQIVAM6x
FnRpO5i6URahUV/ORMw7DW9hAoGBAMoSNjdQnSualJ6kp0PJysjX5M+LsGWZHbye
s0zybqeyaFdRWwOfGeJi/o7xnzROFK6IKaw0EpT5Jwu3cBf0nVi8mk0tXgDQkkTx
ayXP7O1eszqw9QX73dN37xs3JR7gRjQTSoCVUlMLEFZyRlvYd6dAq8tLTCNZDcS4
1iCbeKQlAoGBAOQVOIZqXPp2ez41UGUGwD60Yb3ZBhWlQmMneiDLmB410tdy+JIj
N8YPA7MKCjopOTZSakM0sRAY6nzTsKnEU5LBoC3THUHPdEPDtjTI2SaC8Lz/f61i
d9ylORCX/I+DqPcYESXeBAyGtA/J8GqG0MUQjQWnfMZiOrjTUcroOUFcAhRJ/+lx
ZeeHGOCuzfqsseVVM2oRsA==
-----END DSA PRIVATE KEY-----

(don't bother trying this on any of my servers, I generated a new one for this post)

Jack

@dmmcintyre3 said: (don't bother trying this on any of my servers, I generated a new one for this post)

That made me chuckle.

Damian

@dmmcintyre3 said: Same here. They look like this:

I wonder if I can mandate that people use private keys to log into their VPS? Although I wonder how hard it would be to educate people on the process.

Infinity

Write a detailed knowledgebase article, I mean, it's not that hard to setup SSH keys.

Inglar

@Damian said: Although I wonder how hard it would be to educate people on the process.

In fact it's no so difficult to setup. But also it may be even as some automated process, without prompting password every time for every VPS.

Voss

@Infinity said: Write a detailed knowledgebase article, I mean, it's not that hard to setup SSH keys.

I messed the process up three times before I got it working on several servers. Having a couple of screenshots here and there would be really, really helpful if @Damian decides to create a knowledgebase article.

Pats

@NinjaHawk said: @Randy This is a nix script. Nothing for you ;)

can collect lah.. :D or can convert this to Windows VPS and give it to community :)

Taz

@Pats no offense, but I doubt HE can do this. Just saying.

Damian

@Pats Windows doesn't use iptables, which is the heart of this script. I don't know what the Windows analog would be.

http://serverfault.com/questions/207620/windows-equivalent-of-iptables has some information. Update the script and submit it, and i'll merge the differences :)

You'll also need to determine the Windows equivalent of netstat, and function php_uname('n') won't work on windows.

Taz

@Damian Why use windowS :P

MrAndroid

@NinjaHawk said: @Damian Why use Windoze :P

Correction

@Damian said: You'll also need to determine the Windows equivalent of netstat, and function php_uname('n') won't work on windows.

Running PHP on Windows is like doing an egg and spoon race with a pineapple instead of an egg.