<

Defeating SSH/FTP script kiddies and hacker attempts

Published on
11,273 Points
7,973 Views
3 Endorsements
Last Modified:
Michael Worsham
Creative problem solver with ability to work either individually or through multiple teams partners for accomplishing goals.
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks."

In the recent months, I have encountered several 'script kiddies', both of a domestic and foreign locations, attempting to brute-force hack their into my SSH and FTP server. Since I have a need for both applications for personal and business needs, I needed a quick and easy way to 'fix their little red wagon' and keep my site running without having to watch it day and night. As a result, I discovered that someone had developed a Perl script (URL below) but it was only intended for ssh attacks, so I took it upon myself to help improve the script and give it the ability to watch over the ProFTPd application processes as well.

Block.pl script (the one for sshd) can be found here: http://shellscripts.org/project/sshblock

But before the script could be deployed as a counter to these ssh and ftp brute-force attacks, I first needed to harden my existing network infrastructure.

First, I reconfigured my router to port forward port 19 (or whatever non '21' port) to port 21 on the IIS/FTP server. Then I configured port 21 on the router to forward to the Linux server (as described below). This way I can tell my customers to use the new FTP forwarded port (i.e. '19') to access the 'other' IIS/FTP server site.

Second, I setup a basic Linux server w/ IPTables. I setup a CentOS Linux server on the same network with the Windows server. On the Linux server, I configured ProFTPd to be the FTP server running on port 21. I then downloaded and executed (in background/nohup mode -- 'nohup ./myapp.pl &') a modified 'block.pl' Perl script (see URL below) to scan the message log for incoming SSH & FTP attempts.

Modified block.pl script -- http://www.murpe.com/EE/block.pl

When a script kiddie attacks, the block.pl script will read the /var/log/messages file for the attack trigger response, determine if the attack is of an 'ftp' or 'ssh' type and then impose a special IPTables firewall rule -- based on the IP address -- to drop the incoming attempts. After a period of one hour, the script check to see if the attack from the offender's IP address have subsided. If the offender has disappeared, the script will then actually clean itself up and remove the offender's IP address from the firewall rule and watch the /var/log/messages file for another attack to happen.

Personally, I have utilized this script and during the first hour alone, the modified block.pl script was able to drop nearly 40 script kiddies and put a knot in their chain. Since the script cleans itself up, I did not have to check to see if my server was operational or not. I was happy and my customers were just as happy.

For other ideas on how to improve this script or make your own 'script kiddie' prevention, I recommend taking at look at this article...

Dynamic IPTables Firewalls:
http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml

Good luck!

-- Michael
3
Comment
2 Comments
 
LVL 7

Expert Comment

by:CSorg
I have about the same mechanism, although I use SQL logging with triggers to fire a script which on its turn will add the offending IP to a block list using IP security. Only I must say I do not release the offending IP address, I like to keep it hostage :-)
0
 
LVL 7

Expert Comment

by:DrAtomic
I have gone as far as cutting off both China and Russia; the amount of "hack" attempts subsided by 90%. That said we use that same script for SSH; love the modification to it will certainly test with it.
0

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Join & Write a Comment

When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Learn the basics of Skype For Business in office 365

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month