Blocking SSH Scans Using Syslog-ng

Some time ago I decided to do something about the number of SSH scans I was receiving on various machines under my control.  I am not overly concerned as I use keys for access, but there is always a possibility that a vulnerability exists which has not been publicised yet.  With this in mind, it is better to thwart the attempts early on.

I have seen people approach this various ways, and here is mine. It requires a database to keep a history of scans; I have used MySQL but any database should be fine.
The script will work under Linux and FreeBSD. Although configured to use Shorewall under Linux it would be trivial to replace the Shorewall commands with a line similar to “iptables -I INPUT -s -j DROP”.

Firstly, create a custom destination that points to our external script to process the reports from the SSH daemon:

destination ssh_scan { program(“/root/bin/sshscan”); };

Then create a filter to match the SSH daemon reporting an “Invalid User”:

filter f_ssh_scan   { program(“sshd.*”) and match(“Invalid user”); };

We can then create a log rule that passes any line that matches our filter to our script for processing:

log { source(s_sys); filter(f_ssh_scan); destination(ssh_scan); };

The contents of the script are as follows (including the code to create the MySQL database):

Continue reading Blocking SSH Scans Using Syslog-ng