DEV Community

KM
KM

Posted on

5 1

SSHBlack - Securing open linux servers

#linux #security #ssh #iptables

SSHBlack is a must have utility for open servers in the public network(internet). Download the latest versions from the website. The installation steps are as follows:

$ tar -zxf sshblackv281.tar.gz
$ mv sshblack /usr/local/sshblack
$ cd /usr/local/sshblack
# provide excutable permission for the script
$ chmod 755 sshblack.pl
# Create a new chain BLACKLIST
$ iptables -N BLACKLIST

Next we need to update the sshblack.pl. Open your favourite editor and update the variables

# this will run the process in the background
my($DAEMONIZE) = '1';
# The INPUT log file you want to monitor; If Ubuntu OS its '/var/log/auth.log'; if its RedHat based OS '/var/log/secure';
my($LOG) = '/var/log/auth.log';
# Update your static IP which should never be blacklisted, displayed as WWW.XXX.YYY.ZZZ;
my($LOCALNET) = '^(?:127\.0\.0\.1|WWW\.XXX\.YYY\.ZZZ)';

Save the file. ./sshblack.pl will start the script as a background process. The /var/log/sshblacklisting file will log the IP information of clients accessing/attacking the server.

Once the server is attacked more than 5 times(default value of variable $MAXHITS), a block rule is added to iptables with the IP information. This prevents new connections to the server from the attacker, in turn preventing the server from brute force attempts. A sample of IP’s which is blacklisted in my server using the script is listed below:

$ iptables -L
Chain BLACKLIST (1 references)
target     prot opt source destination
DROP       all  --  132.232.54.102       anywhere
DROP       all  --  139.59.84.55         anywhere
DROP       all  --  222.187.232.212      anywhere
DROP       all  --  222.187.225.10       anywhere
DROP       all  --  222.187.238.32       anywhere
DROP       all  --  58.241.250.152       anywhere

If you clear the iptables, make sure to clear the text database which keeps track of the attacked IP address.
echo '' > /var/tmp/ssh-blacklist-pending

profile
Sentry
 Promoted

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

Top comments (2)

Collapse
 
glennmen profile image
Glenn Carremans

Interesting, I have never heard of sshblack but was wondering how is this different than Fail2ban?
Also it doesn't seem to be updated since 2007 so personally I would advice against using it.

Collapse
 
chyn_km profile image
KM

SSHBlack & Fail2ban are similar applications. SSHBlack is simple and straight forward. It does only one job - protects your server from SSH attacks, & it does it well.

Regarding Updates - Its just a PERL script, which parses logs for a REGEX.

profile
Sentry
 Promoted

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

Read next

zhukmax profile image

Setting Up a New Rust Project with ⚙️ Cargo

Max Zhuk -

jajera profile image

How to Configure GitHub Authentication Using SSH Certificates

John Ajera -

jajera profile image

How to Configure AWS CLI on Linux

John Ajera -

zororaka profile image

Is Bitcoin Ready for the Quantum Era? Understanding Security and Future-Proofing

Raka Widhi Antoro -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay