Bekijk de volledige versie : Analyzing dropbear logs, deny IPs bruteforcing your router

24-08-2008, 12:06

I've installed dropbear, enabled private/public key authentication, but i'm still worried that they are trying to hack my ssh dameon by trying to brute force password (which obviously don't work, but anyway) ...

So in case you have password authentication turned on, and you run ssh on it's default port then you might need this script.

it will anaylize the logs, find out the IP address that connects to your router and fails the authentication, then deny this address with iptables so never again he can try brute forcing your router.

here are the steps to do it:

0. unzip the files from the archive.
1. rewrite the paths in the blockBruteForceIPs to match your system
2. maybe delete all IPs from ip-blocklist ? (these are automatically blocked on my system)
3. rewrite ip-whitelist to add your known IPs
4. add these lines to your post-firewall script:

# create our block chain
iptables -N blockip
iptables -I INPUT -j blockip

5. update your cron file to start every 10 minutes the blockBruteForceIPs scrit.

That's it :) - you may `cat ip-blockstatus` in your profile to always see the status when you log in, it's up to you.