Introduction

While all our servers are firewalled we leave the SSH port open as it is a connection of last resort for administrators when the server cannot be contacted by any other means.

While we have strict password policies this does no stop an incessant bombardment of dictionary attacks on those SSH ports and although it is highly unlikely that an admin password is ever likely to be breached, there are also user accounts that an attacker might just get lucky with. I was looking for a solution that would watch for dictionary attacks and black list the source IPs and let the attackers know that they have been caught.

While there are many solutions to the problem I wanted something that was simple and self contained.

I found a perl script called sshblack whose code does almost exactely what I need but it’s aimed at Linux so needed to be modified to run smoothly on Mac OS X

Overview

The SSH Black perl script runs as a deamon and monitors the secure.log for failed password attempts. If any suspicious activity is detected the source IP is added to a blacklist so that no further SSH connections can be made for a predetermined period of time.

I have modified the original version of the script (which uses Linux IPTables) to use the /etc/hosts.deny file to manage blocking source IP addresses.

Requirements

This guide assumes you have OS X 10.2.x or greater installed.

Finally you must be comfortable with the command line and familiar with pico and sudo

Installing SSHBlack

Because the platform specific configuration is directly in the script I have built an entire package which can be downloaded and installed along with a MacOS X startup item. You can download it from: SSHBlacklist.tar 

cd ~/Desktop
tar -xf SSHBlackList.tar
mv SSHBlackList /Library/StartupItems/
sudo SystemStarter start sshblack

That’s it. The blacklist script will now be up and running and the startupitem will automatically restart the daemon if you should reboot your machine.

If you want to be notified by email each time and IP is blacklisted then this feature can be enabled by editing the script with:

sudo pico /Library/StartupItems/SSHBlackList/sshblackv28.pl

Look for a line about 3 pages down that reads: my($EMAILME) = 0; and change it to: my($EMAILME) = 1;

You will also need to enter you destination email address in the line below.