Archive

Archive for October, 2018

Null route ssh attacks on your debian server

October 29, 2018 Comments off

I Use these scripts to catch and null route failed ssh attempts.
I have my data stored in /root/firewall. You may need to direct the script at mail.log depending on your Postfix mail filtering options. If so just change the target.

The first script “NULLAUTH” retrieves the IP address of failed ssh attempts.
The second script “RMNULL” erases previously stored null routes.
I recommend creating a crontab entry for NULLAUTH and running it periodically.

##NULLAUTH
cd /root/firewall
BLACKLIST=’cat BLACKLIST’
RMNULL
egrep “authentication failure” /var/log/auth.log | grep -Eo “([0-9]{1,3}\.){3}[0-9]{1,3}” > authfailure
sort -u authfailure | uniq -u > BLACKLIST
## Null route BLACKLIST
for x in `$BLACKLIST`; do
echo “Null routing $x…”
ip route add blackhole $x
done

##RMNULL
#!/bin/bash
cd /root/firewall
BLACKLIST=’cat BLACKLIST’
for x in `$BLACKLIST`; do
echo “unblocking $x…”
ip route delete $x
done

Categories: sysadmin