[CentOS] Program to ban sniffers

Jacques B. jjrboucher at gmail.com
Sun Jun 21 03:32:59 UTC 2009 

On Sat, Jun 20, 2009 at 8:35 PM, Bob Hoffman<bob at bobhoffman.com> wrote:
> So I have been reading the ssh attack thread and finally want to ask about
> something.
>
> I doubt there is a program like this, but I would love to have a program
> that listens at common ports that I do not use at all...and only allow that
> program to listen to it, especially the usual ssh port (using a different
> one for real ssh)...
>
> That program would then, upon receiving a 'sniff' or 'user' would then add
> that ip to the deny hosts lists..for either a long or short time.
>
> Using this would seem like a win as you can easily grab someone before they
> can get somewhere one hopes.
> Also, by opening up a few other ports that are unusual like 8561....well, if
> someone sniffs that it could be a 3 day ban or a month...
>
> In other words, anyone hitting those ports that are not being used at all
> except by our sniff protector, would allow instant banning.
>
> So...does something like this exist?
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

A simple bash script run from a cronjob that looks for entries in
/etc/secure for traffic to those ports and then parses out the IP and
adds it to your host.deny might work.  But if you are looking to set a
date/time when it would expire, you could probably achieve this
through a comment at the end of the entry containing the expiry date
which your bash script would scan with a simple sed command looking
for any lines with an expiry date matching the system's current date
and removing those lines.

fail2ban was also suggested by a few and I believe that was one I
played with briefly a few years back and it worked but I wasn't using
it in the scenario you describe but rather simply scanning for
multiple failed ssh login attempts (not sure if it was looking for
failed ssh login attempts, or "Failed" attempts period regardless the
port being targeted) that resulted in a host.deny entry.  But of
course you can potentially lock yourself out (been there, done that)
which is a p.i.t.a.  You either have to wait until next day at the
office to remove your ban, or try and get another IP from your ISP via
disconnecting and reconnecting to your ISP.

Jacques B.

More information about the CentOS mailing list