Openwrt高级应用之2：简单脚本防止ssh暴力攻击

pu***

原理：1. snort做入侵检测是很好，但是太大太复杂，我们需要轻量化的操作。当对方进行SSH 端口的穷举攻击的时候，dropbear会在系统log中记录下特定信息如：


login attempt for nonexistent user
bad password attempt for

通过后台crontab当特定时间段内检测到一定频率的攻击，则将此IP所有数据包全部DROP忽略。

2. 安装：
1）复制脚本DropBrute.sh 到任意目录如 /etc/ 下，授予执行权限如0755. 在crontab（LUCI WEB -->system - scheduled task）中加入一行，每隔一段时间执行：
*/10 * * * * /etc/DropBrute.sh 2>&1 >> /tmp/DropBrute.log
关于如何配置定期任务cron： http://en.wikipedia.org/wiki/Cron

本例是10分钟执行一次扫描log

3. 脚本配置：
见脚本中说明，如看不懂英文请补习英语。


#!/bin/sh
#
# DropBrute.sh @20130516
#
# minimalist OpenWRT/dropbear ssh brute force attack banning script
#
# Installation steps:
#
# 1) Optionally edit the variables in the header of this script to customise
#    for your environment
#
# 2) Insert a reference for this rule in your firewall script before you
#    accept ssh, something like:
#
#    iptables -N DropBrute
#    iptables -I input_rule -i br-wan -p tcp --dport 22 -j DropBrute
#    iptables -I input_rule -i br-wan -p tcp --dport 22 -m state --state NEW -m limit --limit 6/min --limit-burst 6 -j ACCEPT
#
# 3) Run the script periodically out of cron:
#
#    echo '*/10 * * * * /usr/sbin/DropBrute.sh 2>&1 >> /tmp/DropBrute.log' >> /etc/crontabs/root
#
# 4) If cron is not enabled, you'll also need to run the following:
#
#    /etc/init.d/cron enable && /etc/init.d/cron start
#
#
# To whitelist hosts or networks, simply add a manual entry to the lease
# file with a leasetime of -1.  This can be done with the following syntax:
#
#    echo -1 192.168.1.0/24 >> /tmp/DropBrute.leases
#
# A static, or non-expiring blacklist of a host or network can also be
# added, just use a lease time of 0.  This can be done with the following syntax:
#
#    echo 0 1.2.3.0/24 >> /tmp/DropBrute.leases

# How many bad attempts before banning. Only the log entries from the
# current day are checked.
allowedAttempts=5

# How long IPs are banned for after the current day ends.
# default is 1 days
secondsToBan=$((7*60*60*24))

# the "lease" file - defaults to /tmp which does not persist across reboots
leaseFile=/tmp/DropBrute.leases

# This is the iptables chain that drop commands will go into.
# you will need to put a reference in your firewall rules for this
iptChain=DropBrute

# the IP Tables drop rule
iptDropRule='-j DROP'

# the IP Tables whitelist rule
iptWhiteRule='-j RETURN'

# You can put default leasefile entries in the following space.
# Syntax is simply "leasetime _space_ IP_or_network".  A leasetime of -1 is a
# whitelist entry, and a leastime of 0 is a permanent blacklist entry.
[ -f $leaseFile ] || cat <<__EOF__>>$leaseFile
-1 192.168.0.0/24
-1 192.168.1.0/24
__EOF__

# End of user customizable variables (unless you know better )

ipt='/usr/sbin/iptables'

[ `date +'%s'` -lt 1320000000 ] && echo System date not set, aborting. && exit -1
$ipt -N $iptChain >&/dev/null

today=`date +'%b %d'`
now=`date +'%s'`
nowPlus=$((now + secondsToBan))

echo Running DropBrute on `date` \($now\)

# find new badIPs
for badIP in `logread|egrep "^$today"|fgrep dropbear|egrep 'login attempt for nonexistent user'\|'bad password attempt for'|sed 's/^.*from //'|sed 's/:.*$//'|sort -u` ; do
  found=`logread|egrep "^$today"|fgrep dropbear|egrep 'login attempt for nonexistent user'\|'bad password attempt for'|sed 's/^.*from //'|sed 's/:.*$//'|fgrep $badIP|wc -l`
  if [ $found -gt $allowedAttempts ] ; then
    if [ `egrep \ $badIP\$ $leaseFile|wc -l` -gt 0 ] ; then
       [ `egrep \ $badIP\$ $leaseFile|cut -f1 -d\ ` -gt 0 ] && sed -i 's/^.* '$badIP\$/$nowPlus\ $badIP\/ $leaseFile
    else
       echo $nowPlus $badIP >> $leaseFile
    fi
  fi
done

# now parse the leaseFile
while read lease ; do
  leaseTime=`echo $lease|cut -f1 -d\ `
  leaseIP=`echo $lease|cut -f2 -d\ `
  if [ $leaseTime -lt 0 ] ; then
    if [ `$ipt -S $leaseChain|egrep \ $leaseIP/32\ \|\ $leaseIP\ |fgrep -- "$iptWhiteRule"| wc -l` -lt 1 ] ; then
      echo Adding new whitelist rule for $leaseIP
      $ipt -I $iptChain -s $leaseIP $iptWhiteRule
    fi
  elif [ $leaseTime -ge 1 -a $now -gt $leaseTime ] ; then
    echo Expiring lease for $leaseIP
    $ipt -D $iptChain -s $leaseIP $iptDropRule
    sed -i /$leaseIP/d $leaseFile
  elif [ $leaseTime -ge 0 -a `$ipt -S $leaseChain|egrep \ $leaseIP/32\ \|\ $leaseIP\ |wc -l` -lt 1 ] ; then
    echo Adding new rule for $leaseIP
    $ipt -A $iptChain -s $leaseIP $iptDropRule
  fi
done < $leaseFile

fc***

这样的攻击觉得对路由影响不大 尽管他进来了他肯定会觉得自己是白痴

qq62***

[catsoul=5]给力！[/catsoul]

yyl***

Aug 25 04:11:36 OpenWrt authpriv.info dropbear[3568]: Child connection from 61.156.238.56:57197
Aug 25 04:11:46 OpenWrt authpriv.warn dropbear[3568]: Bad password attempt for 'root' from 61.156.238.56:57197
Aug 25 04:11:46 OpenWrt authpriv.info dropbear[3568]: Exit before auth (user 'root', 1 fails): Exited normally
看日志是不是就是这个？

oka***

感谢分享，学习学习。

lib***

非常实用的技巧，感谢分享

ay***

你不会用fall2ban吗
----------------------------
手滑大错了，我不至于连英文都不知道
你肯定是编译时没选择对，可以不依赖这些的

939***

这个有用

magi***

顶一个，最近才发现路由器一直被攻击中……

kks***

谢谢分享！！

nh***

这个什么恩山币要回复才能赚一个，没办法，我要下载个东西，一共要40个恩山币，所以我就随便回复赚一点恩山币就走了

amw***

好东西，收藏了，大家都去刷路由了，相关安全也得多注意点，楼主好人。

wuji***

学习了，最近总是有Login attempt for nonexistent user

li78***

以前用ROS时 用过类似 ，现在自己编译OPENWRT 自己用 加上电信狗比的 改成100.ip基本没啥用处了

k92***

#脚本检测 SSH 暴力穷举