SBFD - SSH Brute-Force Detector

SBFD runs from cron, scanning the latest changes in your syslog file for failed login attempts. After a threshold has been reached (defaults to 5 failures or connections immediately dropped), the IP is added to "/etc/hosts.deny.sshd". This file can then be used by tcpwrappers to block further connections from that IP

It is recommended a list of fall-back IPs be configured in /etc/hosts.allow, so they never get blocked.

To get emailed when a new IP is added, edit /usr/local/bfd/notify

Install instructions

• Untar SBFD and put it in /usr/local/bfd
• edit /usr/local/bfd/notify to configure who to send emails
• If your distribution uses /var/log/secure instead of /var/log/messages, edit /usr/local/bfd/logwatch
• /etc/hosts.allow setup:

  sshd : [fall-back ip list] : allow
  sshd : /etc/hosts.deny.sshd : deny
  [etc - default deny or allow]
  

• BFD cron example (running as root):

  * * * * * /usr/local/bfd/logwatch
  

You also might want to block all IPs without reverse DNS or valid reverse DNS with the line:

sshd : PARANOID UNKNOWN : deny

change history

• 1.4 2007-06-07: Security: regular expressions not strict enough [notes]
• 1.3 2007-04-24: Missing brute-force attack matches fixed (as reported by Hraban)
• [name change to SBFD]
• 1.2 2005-05-11: Reports that gensub does not work on FreeBSD 5.x's awk, changed to use gsub. Additional strings to watch for suggested by David Coquet
• 1.1 2005-05-09: change tlog to use /usr/bin/env bash to be more portable
• 1.0 ?: first release

similar programs / other solutions

• R-fx Network's BFD - I stole some ideas from this program, but I didn't like any of their code. I seem to have stolen their program's name too, but I didn't mean to.
• Daemon Shield - This uses a python-based daemon to parse logs and insert iptables rules (linux-only)
• DenyHosts - python-based program that does pretty much the same thing
• Turn off password-based auth and use only key-based auth
• Rate Limit new connections
• Connection rate limiting with OpenBSD's PF
• perl-based log watcher, uses ipf to block by default
• sshban - uses a fifo that syslog is configured to log to

Speed

Running under FreeBSD 4.11 on a dual p3 1ghz:

9712 runs completed over 161 hours
wallclock time spent per run:
min 0.030s
avg 0.058s
max 0.840s
stddev 0.029s

security

2007-06-07: The recent focus on spoofed ssh log messages made me re-examine the log message regular expressions. I wrote a simple shellscript to test these log messages. Here is how sbfd handled them:

$ ./test-iplist ./sbfd-1.3/iplist
TEST:username with spaces in it
192.168.50.65
192.168.50.65
TEST:invalid protocol with failed password in it
192.168.50.65
192.168.50.65
TEST:invalid user
192.168.50.65
TEST:bad protocol: username with "from all"
192.168.50.65
192.168.50.65
TEST:ssh printing "from all"
all
TEST:ssh printing "from all", with port
all port 34786 ssh2

$ ./test-iplist ./sbfd-1.4/iplist
TEST:username with spaces in it
192.168.50.65
TEST:invalid protocol with failed password in it
TEST:invalid user
192.168.50.65
TEST:bad protocol: username with "from all"
TEST:ssh printing "from all"
error with host all
TEST:ssh printing "from all", with port
error with host all

The "ssh printing from all" test case is just a defensive coding test, as I don't see how ssh could ever print such a thing. The other cases are safe from the attacks even in 1.3, because ssh always prints "from [hostname]" at the end of the line, and the .* in the regex is greedy (will match everything it can).

That said, 1.4 fixes the case where 1.3 was mistaken by invalid protocol, as well as 1.3's double matching of lines.

I welcome any examples where sbfd does the wrong thing

contact

sbfd AT drown .org

- et tu, brute for ce?