Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
sshcheck.php - Blocking SSH bruteforce attempts against client VPS containers
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

sshcheck.php - Blocking SSH bruteforce attempts against client VPS containers

DamianDamian Member
edited August 2012 in Providers

Not sure if it's limited only to us, but we have a problem with having our customer's VPSes sshscanned for weak passwords.

So I have developed a simple PHP script to parse the output of netstat -n | grep :22, then counts how many IP addresses the remote IP is attempting to connect to, then add iptables rules when it determines an attack is happening. It will only add an iptable rule if a DROP rule for the IP does not exist already.

As we only run OpenVZ, it has only been tested on OpenVZ nodes. I am curious for feedback on if it works for Xen or KVM nodes.

It is being released to the community. You can find it here: http://pastebin.com/kfWaJa9q

Install it by writing it anywhere on your node, (I have mine in /sbin), editing the variables at the top of the script, then adding a crontab entry for root.
This will run it every 5 minutes:

*/5 * * * *  /usr/bin/php /sbin/sshcheck.php

(update to reflect your php binary, and where you put the script)

You will get reports in your email like this:

Hello, this is sshcheck.php running on sapphire.ipxcore.com

Current time: Thu, 09 Aug 12 19:33:49 -0600

Adding iptables DROP rule. Remove it with:
iptables -D FORWARD -s 218.203.165.153 -j DROP

IP 218.203.165.153 is involved in a brute force attack against the
following IPs:

Count: 13
1.2.3.157:22
1.2.3.136:22
1.2.3.108:22
1.2.3.31:22
1.2.3.201:22
1.2.3.32:22
1.2.3.195:22
1.2.3.11:22
1.2.3.32:22
1.2.3.180:22
1.2.3.103:22
1.2.3.108:22
1.2.3.122:22

Tested with PHP 5.1.6 (Centos 5), PHP 5.3.3 (Centos 6), PHP 5.3.3-7+squeeze13 (Debian Squeeze).

Upcoming/to-do/V2.0:
-check that destination IPs are unique
-add method for iptables drop for a specified timeframe only
-proper source code commenting

«1

Comments

  • I think hosts need to start doing something like this.

    Thanked by 1Damian

    This signature is brought to you by the NSA. Spying on the entire world since 1952!

  • I feel like you are being a managed provider sometimes :P

    I know, I'm Dale Maily.

  • @Taylor said: I feel like you are being a managed provider sometimes :P

    :P

    Having script kiddies get into someone's poorly-passworded VPS tends to wreak havoc in various ways. This is just one way of plugging a hole.

  • fanfan Member

    Also interested in how it works with Xen and KVM, great contribution to the community!

  • TazTaz Disabled

    Great tool :)

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • TazTaz Disabled

    Question /suggestion /note : this script by default will only work for port 22. Is there any way to make it dynamic ? Something like (since this is ovz) find sshd _config, get the SSH port info and dynamically update your script?

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • DamianDamian Member
    edited August 2012

    @NinjaHawk said: Question /suggestion /note : this script by default will only work for port 22. Is there any way to make it dynamic ? Something like (since this is ovz) find sshd _config, get the SSH port info and dynamically update your script?

    Sure, I suppose you could. You'd need to look in every /vz/private/*/etc/sshd_config, and that runs into privacy concerns.

    Since there are so many IP ranges out there with active servers on them, script kiddies aren't going to bother port-scanning an IP range to find out where the active SSH ports are, since there are so many easier targets they can move on to.

    Therefore, if a client changes their port away from the default, then they've pretty much solved the problem themselves anyway.

  • WilliamWilliam Member, Provider

    @Damian said: I am curious for feedback on if it works for Xen or KVM nodes.

    Since KVM is bridged: No.

  • u4iau4ia Member

    @Damian said: Therefore, if a client changes their port away from the default, then they've pretty much solved the problem themselves anyway.

    +1
    It really works. Some call it security by obscurity, but I call it much smaller log files :)

  • bamnbamn Disabled

    What about setting up a sensor that submits IP addresses to the node to block it from the customers?

  • DamianDamian Member
    edited August 2012

    @u4ia said: It really works. Some call it security by obscurity, but I call it much smaller log files :)

    Mmm hmm, well put in much fewer words :)

    @bamn said: What about setting up a sensor that submits IP addresses to the node to block it from the customers?

    I don't understand what you're asking? Do you mean something the customer sets up inside their VPS?

  • TazTaz Disabled

    @Damian Given proper credit, can I post this on my Linux script archive that I am working on?

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • RandyRandy Disabled

    Thanks<3

  • TazTaz Disabled

    @Randy This is a nix script. Nothing for you ;)

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • RandyRandy Disabled

    Cant i say thank you on behalf of everyone<3

  • Very interesting idea, thanks for sharing.

    Budget SSD Based VPS Hosting @ SSDVM.NET

  • @NinjaHawk said: Given proper credit, can I post this on my Linux script archive that I am working on?

    Sure, though i'd really recommend a "go here for latest version" link or something. This is version 1, it's missing some things like error checking and code comments...

  • DanielMDanielM Disabled

    My passwords are that secure i dont know them lol.

    Thanked by 1karl
  • @DanielM said: My passwords are that secure i dont know them lol.

    Same here. They look like this:

    -----BEGIN DSA PRIVATE KEY-----
    MIIBvAIBAAKBgQDmndgL5WhGdW7XV87FEJodYGfDkWo1QHhuLYAG6RwdPInTf9eK
    S69CQ4pDRUOrVL2eb02GEa8VJrGDVpMS57kLe/j343ayRFrE5DKT97zTr9LIAkP0
    W7i3WsX713ZUvgqGtp9Kavyy2XlMa7C5Rr/FJgtEcUdR8wnG1+8VQtq/hQIVAM6x
    FnRpO5i6URahUV/ORMw7DW9hAoGBAMoSNjdQnSualJ6kp0PJysjX5M+LsGWZHbye
    s0zybqeyaFdRWwOfGeJi/o7xnzROFK6IKaw0EpT5Jwu3cBf0nVi8mk0tXgDQkkTx
    ayXP7O1eszqw9QX73dN37xs3JR7gRjQTSoCVUlMLEFZyRlvYd6dAq8tLTCNZDcS4
    1iCbeKQlAoGBAOQVOIZqXPp2ez41UGUGwD60Yb3ZBhWlQmMneiDLmB410tdy+JIj
    N8YPA7MKCjopOTZSakM0sRAY6nzTsKnEU5LBoC3THUHPdEPDtjTI2SaC8Lz/f61i
    d9ylORCX/I+DqPcYESXeBAyGtA/J8GqG0MUQjQWnfMZiOrjTUcroOUFcAhRJ/+lx
    ZeeHGOCuzfqsseVVM2oRsA==
    -----END DSA PRIVATE KEY-----
    

    (don't bother trying this on any of my servers, I generated a new one for this post)

    FreeVPS.us - The oldest post to host VPS provider
  • @dmmcintyre3 said: Same here. They look like this:

    I wonder if I can mandate that people use private keys to log into their VPS? Although I wonder how hard it would be to educate people on the process.

  • InfinityInfinity Member, Provider

    Write a detailed knowledgebase article, I mean, it's not that hard to setup SSH keys.

    Thanked by 2Jack DanielM

    Cablestreet - London based ISP - Managed Solutions, Carrier Services, Colocation, Dedicated Servers, VMs, and more..

  • @Damian said: Although I wonder how hard it would be to educate people on the process.

    In fact it's no so difficult to setup.
    But also it may be even as some automated process, without prompting password every time for every VPS.

  • PatsPats Member

    @NinjaHawk said: @Randy This is a nix script. Nothing for you ;)

    can collect lah.. :D
    or can convert this to Windows VPS and give it to community :)

  • TazTaz Disabled

    @Pats no offense, but I doubt HE can do this. Just saying.

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • DamianDamian Member
    edited August 2012

    @Pats Windows doesn't use iptables, which is the heart of this script. I don't know what the Windows analog would be.

    http://serverfault.com/questions/207620/windows-equivalent-of-iptables has some information. Update the script and submit it, and i'll merge the differences :)

    You'll also need to determine the Windows equivalent of netstat, and function php_uname('n') won't work on windows.

  • TazTaz Disabled

    @Damian Why use windowS :P

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • MrAndroidMrAndroid Member
    edited August 2012

    @NinjaHawk said: @Damian Why use Windoze :P

    Correction

    @Damian said: You'll also need to determine the Windows equivalent of netstat, and function php_uname('n') won't work on windows.

    Running PHP on Windows is like doing an egg and spoon race with a pineapple instead of an egg.

    Thanked by 1Taz

    The Original Daniel.

  • @MrLawoodle said: Running PHP on Windows is like doing an egg and spoon race with a pineapple instead of an egg.

    haha, that's a great way of putting it!

  • PatsPats Member

    @Damian said: @Pats Windows doesn't use iptables, which is the heart of this script. I don't know what the Windows analog would be.

    Oh! i was putting it on @Randy but this guy putting it on me !! :(

    @MrLawoodle said: Running PHP on Windows is like doing an egg and spoon race with a pineapple instead of an egg.

    So wat? you first put the pineapple on the spoon, i'll run later :P

    well situation is not that bad when PHP runs on Windoze. PHP & mySQL is installed on many Window$ Servers since clients like to install Open-source apps - forum/blogs along with their own .net apps

  • RandyRandy Disabled

    You will never know, i might sell LINUX Someday?:-P i doubt i will use that anyways

  • When you send the Logs to http://www.blocklist.de the Attack will be automatically reported:
    http://www.blocklist.de/en/download.html#ohnefail2ban
    You have stats and more.

  • Nice idea

    Greetings of the day!!!!

  • KuJoeKuJoe Member, Provider

    We use a honeypot method which works extremely well. We assign a handful of IPs that are scattered throughout our /22 to a single VPS with DenyHosts installed, after X attempted connects to that VPS within XX seconds the IP is blackholed on our routers so no traffic can pass to any of our nodes (the attacker will not see any of the network and hopefully move on). After XX minutes the blackhole is lifted to prevent blocking legitimate traffic in case the IP is given to a new user in the future.

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
    Need backup space? Check out BackupDragon
  • joepie91joepie91 Member, Provider

    @Damian I think it would be a good idea if you defined a clear license for the script, for this reason.

  • as a developer I would have some sort of front end to remove rules via link in email, this tkes it away from lightend checker though.. More user friendly could mean less tickets. many situations where id set this script off against self. Perhaps the only one? (only skimmed post soz if way off lol)

  • @joepie91 said: @Damian I think it would be a good idea if you defined a clear license for the script, for this reason.

    Consider it released under http://sam.zoy.org/wtfpl/ . I can't edit the original post to reflect this.

    @kro said: many situations where id set this script off against self.

    So far the only time we've had a user locked out is when his nagios setup somehow managed to make more than 15 concurrent connections. He changed his setup to.. not do that... and so far haven't had any more false positives.

  • @Damian Thanks for making this public. Nice one! ;)

    BF/CM Grabs: 1-GeorgeDataCenter, 1-Netcup, 1-Avoro, 1-PHP-Friends, 1-Virtono, 1-AlphaVPS, 1-VirMach ($1/year!)
    Other VPS: 4-Virmachs

  • postcdpostcd Member
    edited December 2017

    thanks for the script, i wanted to mention that another possibility to protect OpenVZ VPSs might be fail2ban as it may be configured to watch openvz VPS log files and block bruteforcers on the node in ipset. https://internetlifeforum.com/virtualisation/9478-how-protect-openvz-vpss-host-node-server-using-fail2ban-ipset/

    InternetLifeForum.com - hosting, webmaster forum

  • Bookmark it.

  • WSSWSS Member
    edited December 2017

    Since

    @postcd said:

    ↑ THIS ASSHOLE..

    ..bumped a 5+ year old thread, let me continue my habit of being helpful, even if @Taz has been gone for that long!

    @Taz said:
    Question /suggestion /note : this script by default will only work for port 22. Is there any way to make it dynamic ? Something like (since this is ovz) find sshd _config, get the SSH port info and dynamically update your script?

    change ':22' in the netstat to ".escapeshellcmd(argv[1]).", and pass the port number in your query (php clownpenisfart.php 2202)

    @postcd said:
    thanks for the script

    May you be discovered under 5 pounds of rubble, ten years from now.

    Thanked by 2Clouvider pike
  • Is that the new imgur logo?

  • @WSS said:
    Is that the new imgur logo?

    nah, just a bookmark.gif

  • @Neoon said:

    @WSS said:
    Is that the new imgur logo?

    nah, just a bookmark.gif

  • WSS said: Since

    @postcd said:

    ↑ THIS ASSHOLE..

    ..bumped a 5+ year old thread,

    I know there's two ways to get to the opposite corner of a square, but I'm not sure why you'd want to do something to scan the logs of your client VPS's when you can determine at the node level via netstat. Run time by walking through logs in VMs is likely going to be much slower. Also, nothing about this communicates between nodes: scanner skids are going to scan entire IP ranges, so this is going to be replicated on every node.

    Run time with my method is a couple of seconds. Also, the current iteration communicates with other nodes to immediately enter rules, blacking out all servers from the skids immediately.

    Goooooooooooooooooooooooooodbye moooooooooooonmen

    Thanked by 1gisadik
  • @Damian I wasn't actually concerned about a shell around netstat still being the best way to check for this in 2017. I was just answering, so it wouldn't be completely a shitpost. :D

    Also, it helps quite well to ensure your clients' root ssh is disabled after the first login, and yeah, enforce decent keys.. but, then again, half this forum would be bare if that happened!

  • DamianDamian Member
    edited December 2017

    WSS said: @Damian I wasn't actually concerned about a shell around netstat still being the best way to check for this in 2017. I was just answering, so it wouldn't be completely a shitpost. :D

    Also, it helps quite well to ensure your clients' root ssh is disabled after the first login, and yeah, enforce decent keys.. but, then again, half this forum would be bare if that happened!

    By quoting, I was trying to pull in this "this asshole" part, but it's not bolded in the quote :(

    I'd really like to do randomized SSH ports on installation, but it's not in the cards yet. I'd much prefer to respond to "omfg y u no ssh port on default port" tickets instead of "omfg y my server got 'rm -rf /' because I use the same password on everything" tickets. Maybe in The Future this will be implemented and when this post gets bumped in another 5 years, that will be my new response.

    Thanked by 1WSS
  • I feel like the old LET crew used to be more serious and stayed on topics, now a days you have a band of trolls from middle-earth. Indeed, LET has changed dramatically, not sure if for better or for worst.

    Thanked by 1hostdare

    I must go and build my own little spot on the internet.

  • @IAlwaysBeCoding said:
    I feel like the old LET crew used to be more serious and stayed on topics, now a days you have a band of trolls from middle-earth. Indeed, LET has changed dramatically, not sure if for better or for worst.

    That's the second time you admitted to being a rereg this month, Spike.

  • edited December 2017

    @WSS said:

    @IAlwaysBeCoding said:
    I feel like the old LET crew used to be more serious and stayed on topics, now a days you have a band of trolls from middle-earth. Indeed, LET has changed dramatically, not sure if for better or for worst.

    That's the second time you admitted to being a rereg this month, Spike.

    @WSS I consider you like a brother from another mommy, but your beef with me is still hurting me deep in side. Even if your accusations run pretty hollow, seeing as you clearly have not a single ounce of idea what you are even talking about. I will always embrace you as my friend and dear adviser to LET.

    Rest assure dear old pal that you will always have a cozy welcoming place somewhere in my heart. Best wishes!

    I must go and build my own little spot on the internet.

Sign In or Register to comment.