ssh で root ログインを失敗したクライアントからの通信を 遮断する. swatch を用いる.
% sudo apt-get install swatch % sudo vi /etc/swatchrc ----------------------------------------------------- # Check root login from ssh watchfor /sshd\[.*\]: Failed password for root/ exec "/usr/local/bin/addbadsshclient.sh $11" threshold 1:120,repeat=n ----------------------------------------------------- % sudo vi /etc/init.d/swatch-ssh ----------------------------------------------------- #!/bin/sh case "$1" in start) /usr/bin/swatch -c /etc/swatchrc --tail-file=/var/log/auth.log --daemon > /dev/null 2>&1 & ;; stop) echo "Sorry, No operation" ;; *) echo "Usage /etc/init.d/swatch start" esac exit 0 ----------------------------------------------------- % sudo chmod a+x /etc/init.d/swatch-ssh % sudo ln -s /etc/init.d/swatch-ssh /etc/rc2.d/S99swatch-ssh % sudo vi /etc/cron.daily/z-Swatch ----------------------------------------------------- #!/bin/sh PID=`ps aux |grep swatch |grep -v pts | awk '{print $2}'` if [ "${PID}" != "" ] then kill ${PID} sleep 1 fi /etc/init.d/swatch-ssh start ----------------------------------------------------- % sudo chmod a+x /etc/cron.daily/z-Swatch
% sudo vi /usr/local/bin/addbadsshclient.sh ----------------------------------------------------- #!/bin/sh IPDIR=/tmp/badip if [ ! -d ${IPDIR} ] then mkdir ${IPDIR} fi if [ ! -f ${IPDIR}/$1 ] then /sbin/iptables -I ppp-in -s $1 -j DROP touch ${IPDIR}/$1 fi ----------------------------------------------------- % sudo chmod a+x /usr/local/bin/addbadsshclient.sh
1分間に 1 syn アクセスだけを認める例
# iptables -A INPUT -p tcp --syn --destination-port 22 \ -m limit --limit 1/m -j ACCEPT # iptables -A INPUT -p tcp --syn --destination-port 22 \ -j LOG --log-level info --log-prefix "SSHAccess " # iptables -A INPUT -p tcp ! --syn --destination-port 22 -j ACCEPT
sshd_config で Match ディレクティブを使い, 社外からのアクセスでは公開鍵認証のみにする.
PasswordAuthentication no PubkeyAuthentication yes Match Address 172.16.0.0/12,192.168.0.0/16 PasswordAuthentication yes PubkeyAuthentication yes