This is me, Wu!
» e-shell.org
In this page
Rate this page!
Search inside the wiki!
  Home >> sources >> SSH Scanner Blocker

SSH Scanner Blocker

This little script tries to help blocking the annoying attacks performed against ssh services all over the world since summer 2004. The attacks are not real ones, it is a simple scanner that tries to log in using common username/password combos, aswell as passwordless accounts. The script uses the power of the pf packet filter from the OpenBSD Project, using it's table feature to add hosts to a blocked list if the ip address o f the host is found on the authentication log trying to log in as an unauthorized user.

Download: ssh_blocker.py v0.1 (October 18, 2004) | tar.gz | tar.bz2 | zip |

Source:

#!/usr/bin/env python
# -*- Python -*-
#
# made by Francisco de Borja Lopez Rio (Wu) - <wu@e-shell.org>
# http://www.e-shell.org
#
# Mon Oct 18 03:52:27 CEST 2004


"""
ssh_blocker

This little script tries to help blocking the annoying attacks performed against
ssh services all over the world since summer 2004.
The attacks are not real ones, it is a simple scanner that tries to log in using
common username/password combos, aswell as passwordless accounts.

The script is dividen into this parts:

- Variable definition, here some variables used later on the script are set, like the
path to the pfctl utility or the name of the table used inside pf to block all the
ip addresses.

- Get infected ips, here the authlog log file is checked in order to get a list of infected
ip addresses that have had tried to log in using the ssh scanner. Those ip addresses are
stored on a list.

- Get the blocked ip addresses with the pfctl tool, this is helpful to not add more than once
the same ip address to the banned list.

- Check the infected list with the blocked one, each ip infected ip address that is not blocked
gets blocked inmediatly.
"""

import os

# Variable definition.
pfctl = "/sbin/pfctl"
pf_conf = "/etc/pf.conf"
pf_table = "sshscan"
authlog_path = "/var/log/authlog"
infected_ips = []


# Read authlog, searching for infected ip addreses
print 'Reading the log - ', authlog_path, '\n'
authlog = file(authlog_path, 'r')
authlog_line = '-'

while authlog_line != '':
    if 'Failed password for invalid user' in authlog_line:
        ip = authlog_line.split('from')[1].split('port')[0].strip(' ')
        if ip not in infected_ips:
            print 'Infected host detected - ', ip
            infected_ips.append(ip)

    authlog_line = authlog.readline()

authlog.close()

# Use pfctl to get the ip addreses already blocked
print '\nReading the table of blocked hosts - %s -t%s -T show\n' % (pfctl, pf_table)
pipe = os.popen('%s -t%s -T show' % (pfctl, pf_table))
blocked_ips = pipe.read().split('\n')
pipe.close()

# clean the list, removing unneeded blank spaces
for i in range(len(blocked_ips)):
    blocked_ips[i] = blocked_ips[i].strip(' ')


# go through the list of infected ips, checking if the ip address is already blocked
# or not. If not, add the ip address to the table.
for ip in infected_ips:
    if ip in blocked_ips:
        print ip,' - IP Address already blocked'
    else:
        print ip, ' - Adding IP Address to the blocked table'
        os.popen('%s -t%s -T add %s' % (pfctl, pf_table, ip))