SSHBlack Configuration

I have gone to the effort of packaging the script up with a README file and an INSTALL file. Please humor me and read them! The README file also has some release notes so you can make sense of the different versions. I have left some of the older versions up here but Version 2.8.1 is the latest.

Due to popular demand, I have made some scripts that can be used to manually blacklist and un-blacklist an IP address while at the same time modifying the $CACHE file used by sshblack. These are called list and unlist. IMPORTANT: These scripts (and sshblack) use no file locking mechanisms. This means there could be a collision between the utilities and sshblack if they try to access the cache file at the same time. I consider this a relatively remote possibility, but you may want to consider it when using them. If necessary, I will try to add file locking in the next version.

Please note that in versions after 2.5 the complete, actual commands used to block and un-block an attacker are available for configuration at the top of the code along with the other custom parameters. Previously only portions of the command were available in the "user configurable parameters". Now, the actual commands are entered as $ADDRULE and $DELRULE. All the administrator needs to do is substitute the literal 'ipaddress' in place of the actual IP address in the command. The script will replace this string with the actual address of the attacker each time it needs to run the command.
For example, if you were manually going to blacklists the host 192.168.1.123 you would normally enter the following at a command prompt:
        iptables -I BLACKLIST -s 192.168.1.123 -j DROP
So at the top of the sshblack script (in the $ADDRULE definition), this command becomes:
        iptables -I BLACKLIST -s ipaddress -j DROP

Below are some examples of $ADDRULE and $DELRULE for various applications.

  • For the very general application with a default/blank iptables configuration, all we do is insert a rule at the top of the INPUT chain. Note that if you have other rules in there already, you might want to use the Add command (-A) instead of the Insert (-I). This is how it looks:

my($ADDRULE) = '/sbin/iptables -I INPUT -s ipaddress -p tcp --dport 22 -j DROP'; my($DELRULE) = '/sbin/iptables -D INPUT -s ipaddress -p tcp --dport 22 -j DROP';

  • If you are using a custom chain to keep things neat, you can use that instead of the INPUT chain. Be sure to route SSH packets (or all packets) through this chain from the INPUT chain. Here we use the BLACKLIST chain:

my($ADDRULE) = '/sbin/iptables -I BLACKLIST -s ipaddress -j DROP'; my($DELRULE) = '/sbin/iptables -D BLACKLIST -s ipaddress -j DROP';

  • For those of you still running the older Linux 2.2 kernel or if you just want to use ipchains for some reason, the following should work for modifying your input chain. Be sure to confirm the correct path for your ipchains command-line executable.

my($ADDRULE) = '/sbin/ipchains -I input -p tcp -s ipaddress --destination-port 22 -j DENY'; my($DELRULE) = '/sbin/ipchains -D input -p tcp -s ipaddress --destination-port 22 -j DENY';

  • Graham Klyne has an excellent page -- a howto tutorial actually -- on installing sshblack which includes an init script tested on Fedora with chkconfig. Thanks Graham!
  • Josh Cheney was kind enough to give me some rules he uses with PF on FreeBSD. He also told me that he had to add the following line to his pf.conf file, replacing $ext_if with the interface he wants to blacklist on:

## In pf.conf block in quick on $ext_if proto tcp from to $ext_if port ssh ## In sshblack my($ADDRULE) = '/sbin/pfctl -t ssh-block -T add ipaddress'; my($DELRULE) = '/sbin/pfctl -t ssh-block -T delete ipaddress';

  • Pedro Bezunartea told me how he got it working with the Shorewall package. Presumably this would also work with variants of this such as Mandrake MNF. There are some Shorewall configuration options which optimize the performance also.

## In /etc/shorewall/shorewall.conf BLACKLISTNEWONLY=Yes BLACKLIST_DISPOSITION=DROP ## In sshblack my($ADDRULE) = '/usr/sbin/shorewall drop ipaddress'; my($DELRULE) = '/usr/sbin/shorewall allow ipaddress';

  • Gérard Lasseur sent me (amongst other great stuff) the commands for using IP Filter on Solaris. Merci, monsieur!

my($ADDRULE) = 'echo "block return-rst in log quick on dmfe0 proto tcp from ipaddress to any port = 22" | /usr/sbin/ipf -f -'; my($DELRULE) = 'echo "block return-rst in log quick on dmfe0 proto tcp from ipaddress to any port = 22" | /usr/sbin/ipf -rf -';

Several of these options are explained and highlighted in the code comments. Please make sure that you use a mating $ADDRULE and $DELRULE. That is, don't use iptables for the $ADDRULE and route for the $DELRULE. Doing so will cause problems!

Please check out the README.TXT and INSTALL.TXT files as there are many other variables you can tweak.

I have also added some utility scripts because people were asking me about these. I suggest you figure out what these do (and tweak them to meet your needs) before blindly executing them.

  • list -- manually adds an IP address to the blacklist and modifies the $CACHE file accordingly
  • unlist -- manually remove an IP address from the blacklist and the $CACHE file
  • bl -- a manual blacklisting tool (one liner that modifies the iptables configuration only)
  • unbl -- a manual UNblacklisting tool (one liner that modifies the iptables configuration only)
  • iptables-setup -- a few shell commands to set up the iptables chains if you don't want to do it manually.