I Smell Packets


A Script for sshbl.org
January 21, 2010, 8:46 pm
Filed under: DenyHosts, hosts.deny, sshbl.org, sshbl.sh

Here is a simple little shell script to download the blacklist from sshbl.org and to create a hosts.deny file with it. If your unfamiliar with sshbl.org, sshbl.org maintains a blacklist, that is constantly being updated, with the IP addresses of hosts which tried to bruteforce different hosts located around the world.

sshbl.sh

#!/bin/bash
rm /tmp/base.txt
wget http://www.sshbl.org/lists/base.txt
rm /tmp/base.tmp
cat /tmp/base.txt | grep '[0-9]*[0-9]*[0-9][.][0-9]*[0-9]*[0-9][.][0-9]*[0-9]*[0-9]' | sed 's/^/sshd: /' > /tmp/base.tmp
rm /etc/hosts.deny
cp /tmp/base.tmp /etc/hosts.deny

The above script first deletes any previously downloaded blacklist and then fetches a new one. Next, it removes any previously created temporary file. This temporary file is created by the next command which performs all of the following functions: displays the blacklist, searches it for IP addresses, inserts ‘sshd: ‘ to the beginning of each line, and directs the output to a temporary file. The reason for the inserting of the ‘sshd: ‘ is that this is what is expected in the hosts.deny file. Finally, any previously hosts.deny files are deleted and the new hosts.deny file is copied to the /etc directory.

All that’s left is to schedule this script to run using cron and the entire process will is automated.

This simple script takes just a few minutes to setup. If you’re interested in doing even more to automatically block brutefore attacks against your ssh server take a look at DenyHosts located here. It’s a python script that takes this to next level.

Advertisements

3 Comments so far
Leave a comment

Hi,
why so complicated? 😉

#!/bin/sh

curl http://www.sshbl.org/lists/base.txt 2>/dev/null | sed -n ‘/^[^#]/s/^/sshd: /p’ > /etc/hosts.deny

Comment by sshbl.org

I did it that way just so if the download fails, you don’t end up with a blank hosts.deny file. It fails on the copy.

Comment by ismellpackets

You can now skip the sed’ing:

http://www.sshbl.org/lists/hosts.deny

Comment by sshbl.org




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: