DEV Community

KM
KM

Posted on

SSHBlack - Securing open linux servers

SSHBlack is a must have utility for open servers in the public network(internet). Download the latest versions from the website. The installation steps are as follows:

$ tar -zxf sshblackv281.tar.gz
$ mv sshblack /usr/local/sshblack
$ cd /usr/local/sshblack
# provide excutable permission for the script
$ chmod 755 sshblack.pl
# Create a new chain BLACKLIST
$ iptables -N BLACKLIST

Next we need to update the sshblack.pl. Open your favourite editor and update the variables

# this will run the process in the background
my($DAEMONIZE) = '1';
# The INPUT log file you want to monitor; If Ubuntu OS its '/var/log/auth.log'; if its RedHat based OS '/var/log/secure';
my($LOG) = '/var/log/auth.log';
# Update your static IP which should never be blacklisted, displayed as WWW.XXX.YYY.ZZZ;
my($LOCALNET) = '^(?:127\.0\.0\.1|WWW\.XXX\.YYY\.ZZZ)';

Save the file. ./sshblack.pl will start the script as a background process. The /var/log/sshblacklisting file will log the IP information of clients accessing/attacking the server.

Once the server is attacked more than 5 times(default value of variable $MAXHITS), a block rule is added to iptables with the IP information. This prevents new connections to the server from the attacker, in turn preventing the server from brute force attempts. A sample of IP’s which is blacklisted in my server using the script is listed below:

$ iptables -L
Chain BLACKLIST (1 references)
target     prot opt source destination
DROP       all  --  132.232.54.102       anywhere
DROP       all  --  139.59.84.55         anywhere
DROP       all  --  222.187.232.212      anywhere
DROP       all  --  222.187.225.10       anywhere
DROP       all  --  222.187.238.32       anywhere
DROP       all  --  58.241.250.152       anywhere

If you clear the iptables, make sure to clear the text database which keeps track of the attacked IP address.
echo '' > /var/tmp/ssh-blacklist-pending

Top comments (2)

Collapse
 
glennmen profile image
Glenn Carremans

Interesting, I have never heard of sshblack but was wondering how is this different than Fail2ban?
Also it doesn't seem to be updated since 2007 so personally I would advice against using it.

Collapse
 
chyn_km profile image
KM

SSHBlack & Fail2ban are similar applications. SSHBlack is simple and straight forward. It does only one job - protects your server from SSH attacks, & it does it well.

Regarding Updates - Its just a PERL script, which parses logs for a REGEX.