Re: RE: Internet SSH scans

[Daxomatic <nerden () gmail com>]

Hi List,

like anybody on the net i have these problems too, and was bored with
scrolling the endless logs.  So i decided to put an end to it. Here is
a (rather small but effective and a bit blunt )script to put a stop to
this annoying behaviour ;-p

#!/bin/bash
tail -0f /var/adm/messages |while read line;
        do echo "$line"|awk '/Invalid user/ {printf ("block in quick
on bge1 proto tcp from %s to any port = 22 keep state\n",$NF)}' |ipf
-f -;
        done

as you all can see this is for a solaris 10 box (ipf) if you want to
make it work for linux you could do something like this this;

tail -0f /var/log/messages |while read line; do echo $line|awk
'/Invalid user/{printf $NF}' |cut -b  8-|xargs -i iptables -A INPUT -p
tcp -m multiport --destination-ports 22 -s {} -j DROP; done

I know there are better ways to script this but hey, its quick and it
works for me so perhaps its usefull for you guys/girls too :-)


Rgds
Dax Hoes

On 3 Mar 2006 05:14:44 -0000, admin () chem uw edu pl <admin () chem uw edu pl> wrote:
> I have many SSH scans in my large academic network. IMO scanning hosts are Windows zombies.
>
> /p