![[PukiWiki]](image/alfa.png "[PukiWiki]")
ssh で root ログインを失敗したクライアントからの通信を 遮断する. swatch を用いる.
% sudo apt-get install swatch
% sudo vi /etc/swatchrc
-----------------------------------------------------
# Check root login from ssh
watchfor /sshd\[.*\]: Failed password for root/
exec "/usr/local/bin/addbadsshclient.sh $11"
threshold 1:120,repeat=n
-----------------------------------------------------
% sudo vi /etc/init.d/swatch-ssh
-----------------------------------------------------
#!/bin/sh
case "$1" in
start)
/usr/bin/swatch -c /etc/swatchrc --tail-file=/var/log/auth.log --daemon > /dev/null 2>&1 &
;;
stop)
echo "Sorry, No operation"
;;
*)
echo "Usage /etc/init.d/swatch start"
esac
exit 0
-----------------------------------------------------
% sudo chmod a+x /etc/init.d/swatch-ssh
% sudo ln -s /etc/init.d/swatch-ssh /etc/rc2.d/S99swatch-ssh
% sudo vi /etc/cron.daily/z-Swatch
-----------------------------------------------------
#!/bin/sh
PID=`ps aux |grep swatch |grep -v pts | awk '{print $2}'`
if [ "${PID}" != "" ]
then
kill ${PID}
sleep 1
fi
/etc/init.d/swatch-ssh start
-----------------------------------------------------
% sudo chmod a+x /etc/cron.daily/z-Swatch
% sudo vi /usr/local/bin/addbadsshclient.sh
-----------------------------------------------------
#!/bin/sh
IPDIR=/tmp/badip
if [ ! -d ${IPDIR} ]
then
mkdir ${IPDIR}
fi
if [ ! -f ${IPDIR}/$1 ]
then
/sbin/iptables -I ppp-in -s $1 -j DROP
touch ${IPDIR}/$1
fi
-----------------------------------------------------
% sudo chmod a+x /usr/local/bin/addbadsshclient.sh
1分間に 1 syn アクセスだけを認める例
# iptables -A INPUT -p tcp --syn --destination-port 22 \
-m limit --limit 1/m -j ACCEPT
# iptables -A INPUT -p tcp --syn --destination-port 22 \
-j LOG --log-level info --log-prefix "SSHAccess "
# iptables -A INPUT -p tcp ! --syn --destination-port 22 -j ACCEPT
sshd_config で Match ディレクティブを使い, 社外からのアクセスでは公開鍵認証のみにする.
PasswordAuthentication no PubkeyAuthentication yes Match Address 172.16.0.0/12,192.168.0.0/16 PasswordAuthentication yes PubkeyAuthentication yes
