sshutout is a daemon that periodically monitors log files, looking for multiple failed login attempts via the Secure Shell daemo
Version: 1.0.5sshutout is a daemon that periodically monitors log files, looking for multiple failed login attempts via the Secure Shell daemon.
Operating System: Linux
sshutout is meant to mitigate what are commonly known as "dictionary attacks," i.e. scripted brute force attacks that use lists of user IDs and passwords to effect unauthorized intrusions.
The sshutout daemon blunts such attacks by creating firewall rules to block individual offenders from accessing the system. These rules are created when an attack signature is detected, and after a configurable expiry interval has elapsed, the rules are deleted.
The sshutout algorithm follows a pretty standard model for *nix daemons. The program starts, assumes a fairly safe set of built-in default values, then consults an optional configuration file to further refine these values, and finally consults the command line for arguments specifying overrides. The program checks to see that it has the required superuser authority and then forks. Its newly forked daemon process detaches from the console; the original process terminates.
Next, an initial whitelist is constructed from the addresses of all active network interfaces. In addition, the name servers and default route are added to this whitelist. Finally, host addresses specified in the configuration file or command line are appended to the list.
Appropriate signal handling is now set up. In this case, SIGHUP, the hang-up signal, is provided with a handler to refresh the daemon's operating parameters from the configuration file. The other handled signals, i.e. SIGTERM and SIGPWR (and possibly SIGINT and SIGQUIT if not running as a daemon), are set up to cause a graceful termination of the daemon process.
After signal handling has been initialized, the daemon enters its main processing loop. The loop spends most of its time in a sleep state, but when it does execute, which is approximately once per second, it examines all entries in its blocked hosts list to see if any are ready to expire. Those that are expiring are removed from the list and are also unblocked at the firewall through removal of the corresponding rule.
The daemon's next action is to determine whether its polling interval has elapsed. If it has not yet elapsed, then the daemon goes back to sleep. If the interval has elapsed, then the daemon examines the host's configuration to see if any changes are required to the whitelist, for example, if any new interfaces have come up, or if the addresses associated with any interfaces have changed, etc.
Next, the daemon will examine the specified log file to look for failed login attempts. It tallies a count of all failed login attempts for each unique host address over the span of the given polling interval. Those tallies that exceed the specified threshold are moved to the list of blocked hosts (unless, of course, they are in the whitelist.) Each item added to the blocked list is also blocked at the firewall through the addition of an suitable rule. This processing continues indefinitely until the daemon is signaled to stop.
$ su -
# tar -xzvf sshutout-1.0.0.tar.gz
# cd sshutout-1.0.0
# make install
What's New in This Release:
· This release fixes "Invalid User" detection (again).
· It fixes a segfault when parsing the config file with an alternate output log file name.