guardian: Fixed and enhanced blocking of ssh scans.

diff --git a/config/guardian/guardian.pl b/config/guardian/guardian.pl
index c7fd5f8656acdbd100c6a2009719c890f0bb0f51..86d93fe6117999985587e7a87bb393fa0c9e5ae7 100644 (file)
--- a/config/guardian/guardian.pl
+++ b/config/guardian/guardian.pl
@@ -95,8 +95,17 @@ for (;;) {
        if (seek(ALERT2,0,1)){
                while (<ALERT2>) {
                        chop;
-                       if ($_=~/.*sshd.*Failed password for root from.*/) {
-                               my @array=split(/ /,$_);&checkssh ($array[11], "possible SSH-Bruteforce Attack");}
+                       if ($_=~/.*sshd.*Failed password for .* from.*/) {
+                               my @array=split(/ /,$_);
+                               my $temp = "";
+                               if ( $array[11] eq "port" ) {
+                                       $temp = $array[10];
+                               } elsif ( $array[11] eq "from" ) {
+                                       $temp = $array[12];
+                               } else {
+                                       $temp = $array[11];
+                               }
+                               &checkssh ($temp, "possible SSH-Bruteforce Attack");}
                        }
        }
 
@@ -164,24 +173,28 @@ sub checkssh {
 
        return 1 if ($source eq $gatewayaddr); # or our gateway
 
-       if ($sshhash{$dest} eq "" ){
-               $sshhash{$dest} = 1;
+       return 0 if ($sshhash{$source} > 4); # allready blocked
+
+       if ( ($ignore{$source} == 1) ){
+               &write_log("Ignoring attack because $source is in my ignore list\n");
+               return 1;
        }
-       if ($sshhash{$dest} >= 3 ) {
-               &write_log ("source = $source, count $sshhash{$dest} - blocking for ssh attack.\n");
+
+       if ($sshhash{$source} == 4 ) {
+               &write_log ("source = $source, blocking for ssh attack.\n");
                &ipchain ($source, "", $type);
+               $sshhash{$source} = $sshhash{$source}+1;
+               return 0;
        }
-# you will see this if the destination was not in the $sshhash, and the
-# packet was not ignored before the target check..
-       else {
-               &write_log ("Odd.. source = $source, ssh count only $sshhash{$dest} - No action done.\n");
-               if (defined ($opt_d)) {
-                       foreach $key (keys %sshhash) {
-                               &write_log ("sshhash{$key} = %sshhash{$key}\n");
-                       }
-               }
-               $sshhash{$key} = $sshhash{$key}+1;
+
+       if ($sshhash{$source} eq "" ){
+               $sshhash{$source} = 1;
+               &write_log ("SSH Attack = $source, ssh count only $sshhash{$source} - No action done.\n");
+               return 0;
        }
+
+       $sshhash{$source} = $sshhash{$source}+1;
+       &write_log ("SSH Attack = $source, ssh count only $sshhash{$source} - No action done.\n");
 }
 
 sub ipchain {
@@ -221,9 +234,9 @@ sub build_ignore_hash {
                        $count++;
                }
                close (IGNORE);
-               print "Loaded $count addresses from $ignorefile\n";
+               &write_log("Loaded $count addresses from $ignorefile\n");
        } else {
-               print "No ignore file was loaded!\n";
+               &write_log("No ignore file was loaded!\n");
        }
 }
 

diff --git a/lfs/guardian b/lfs/guardian
index 251a56f2aade641f08eea6e8bcad7a1da14c1c02..fea50db0c8764d07269820999cb74b5cced15af2 100644 (file)
--- a/lfs/guardian
+++ b/lfs/guardian
@@ -30,7 +30,7 @@ THISAPP    = guardian-$(VER)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = guardian
-PAK_VER    = 7
+PAK_VER    = 8
 
 DEPS       = ""