[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Defeating SSH/FTP script kiddies and hacker attempts

Published on
11,363 Points
3 Endorsements
Last Modified:
Michael Worsham
Well-rounded and highly experienced with a professional background in cloud/infrastructure solutions and project management.
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks."

In the recent months, I have encountered several 'script kiddies', both of a domestic and foreign locations, attempting to brute-force hack their into my SSH and FTP server. Since I have a need for both applications for personal and business needs, I needed a quick and easy way to 'fix their little red wagon' and keep my site running without having to watch it day and night. As a result, I discovered that someone had developed a Perl script (URL below) but it was only intended for ssh attacks, so I took it upon myself to help improve the script and give it the ability to watch over the ProFTPd application processes as well.

Block.pl script (the one for sshd) can be found here: http://shellscripts.org/project/sshblock

But before the script could be deployed as a counter to these ssh and ftp brute-force attacks, I first needed to harden my existing network infrastructure.

First, I reconfigured my router to port forward port 19 (or whatever non '21' port) to port 21 on the IIS/FTP server. Then I configured port 21 on the router to forward to the Linux server (as described below). This way I can tell my customers to use the new FTP forwarded port (i.e. '19') to access the 'other' IIS/FTP server site.

Second, I setup a basic Linux server w/ IPTables. I setup a CentOS Linux server on the same network with the Windows server. On the Linux server, I configured ProFTPd to be the FTP server running on port 21. I then downloaded and executed (in background/nohup mode -- 'nohup ./myapp.pl &') a modified 'block.pl' Perl script (see URL below) to scan the message log for incoming SSH & FTP attempts.

Modified block.pl script -- http://www.murpe.com/EE/block.pl

When a script kiddie attacks, the block.pl script will read the /var/log/messages file for the attack trigger response, determine if the attack is of an 'ftp' or 'ssh' type and then impose a special IPTables firewall rule -- based on the IP address -- to drop the incoming attempts. After a period of one hour, the script check to see if the attack from the offender's IP address have subsided. If the offender has disappeared, the script will then actually clean itself up and remove the offender's IP address from the firewall rule and watch the /var/log/messages file for another attack to happen.

Personally, I have utilized this script and during the first hour alone, the modified block.pl script was able to drop nearly 40 script kiddies and put a knot in their chain. Since the script cleans itself up, I did not have to check to see if my server was operational or not. I was happy and my customers were just as happy.

For other ideas on how to improve this script or make your own 'script kiddie' prevention, I recommend taking at look at this article...

Dynamic IPTables Firewalls:

Good luck!

-- Michael

Expert Comment

I have about the same mechanism, although I use SQL logging with triggers to fire a script which on its turn will add the offending IP to a block list using IP security. Only I must say I do not release the offending IP address, I like to keep it hostage :-)

Expert Comment

I have gone as far as cutting off both China and Russia; the amount of "hack" attempts subsided by 90%. That said we use that same script for SSH; love the modification to it will certainly test with it.

Featured Post

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Join & Write a Comment

When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Watch this simple and effective video tutorial to extract attachments from Outlook 2007 and try this easy method by yourself. No need to go anywhere, just watch the video and export attachments from Outlook in few simple steps. To know more, click h…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month