wok-current rev 20061
openssh, dropbear: may filter brute force attacks
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Sun Sep 17 11:42:45 2017 +0200 (2017-09-17) |
| parents | d8d9abb5377f |
| children | 0253b140a342 |
| files | dropbear/stuff/init.d/dropbear openssh/stuff/openssh |
line diff
1.1 --- a/dropbear/stuff/init.d/dropbear Sat Sep 16 18:27:52 2017 +0200 1.2 +++ b/dropbear/stuff/init.d/dropbear Sun Sep 17 11:42:45 2017 +0200 1.3 @@ -17,31 +17,25 @@ 1.4 case "$1" in 1.5 start) 1.6 # We need rsa and dss host key file to start dropbear. 1.7 - if [ ! -s /etc/dropbear/dropbear_rsa_host_key ] ; then 1.8 - action 'Generating Dropbear %s key...' RSA 1.9 - # Need to delete key before creating it. 1.10 - rm -f /etc/dropbear/dropbear_rsa_host_key 1.11 - dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key >/dev/null 2>&1 1.12 - status 1.13 - fi 1.14 - if [ ! -s /etc/dropbear/dropbear_dss_host_key ] ; then 1.15 - action 'Generating Dropbear %s key...' DSS 1.16 - # Need to delete key before creating it. 1.17 - rm -f /etc/dropbear/dropbear_dss_host_key 1.18 - dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key >/dev/null 2>&1 1.19 - status 1.20 - fi 1.21 - if [ ! -s /etc/dropbear/dropbear_ecdsa_host_key ] ; then 1.22 - action 'Generating Dropbear %s key...' ECDSA 1.23 - # Need to delete key before creating it. 1.24 - rm -f /etc/dropbear/dropbear_ecdsa_host_key 1.25 - dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key >/dev/null 2>&1 1.26 - status 1.27 - fi 1.28 + for type in rsa dss ecdsa ; do 1.29 + [ -f /etc/dropbear/dropbear_${type}_host_key ] && continue 1.30 + action 'Generating Dropbear %s key... ' $type 1.31 + # Need to delete key before creating it. 1.32 + rm -f /etc/dropbear/dropbear_${type}_host_key 1.33 + dropbearkey -t $type /etc/dropbear/dropbear_${type}_host_key >/dev/null 2>&1 1.34 + status 1.35 + done 1.36 if active_pidfile $PIDFILE dropbear ; then 1.37 _ '%s is already running.' $NAME 1.38 exit 1 1.39 fi 1.40 + if [ -n "$(which iptables)" ] && ! iptables -L | grep 'tcp dpt:ssh ' ; then 1.41 + tcp22new='iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent' 1.42 + $tcp22new --set --name DEFAULT --rsource 1.43 + limit='--seconds 300 --hitcount 5 --name DEFAULT --rsource' 1.44 + $tcp22new --update $limit -j LOG --log-prefix "SSH-Bruteforce : " 1.45 + $tcp22new --update $limit -j DROP 1.46 + fi 1.47 action 'Starting %s: %s...' "$DESC" $NAME 1.48 $DAEMON $OPTIONS 1.49 status
2.1 --- a/openssh/stuff/openssh Sat Sep 16 18:27:52 2017 +0200 2.2 +++ b/openssh/stuff/openssh Sun Sep 17 11:42:45 2017 +0200 2.3 @@ -19,22 +19,22 @@ 2.4 case "$1" in 2.5 start) 2.6 # We need rsa and dsa host key file to start dropbear. 2.7 - if [ ! -f /etc/ssh/ssh_host_rsa_key ] ; then 2.8 - _ 'Generating OpenSSH %s key... ' rsa 2.9 - ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' 2.10 - fi 2.11 - if [ ! -f /etc/ssh/ssh_host_dsa_key ] ; then 2.12 - _ 'Generating OpenSSH %s key... ' dsa 2.13 - ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N '' 2.14 - fi 2.15 - if [ ! -f /etc/ssh/ssh_host_ecdsa_key ] ; then 2.16 - _ 'Generating OpenSSH %s key... ' ecdsa 2.17 - ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C '' -N '' 2.18 - fi 2.19 + for type in rsa dsa ecdsa ; do 2.20 + [ -f /etc/ssh/ssh_host_${type}_key ] && continue 2.21 + _ 'Generating OpenSSH %s key... ' $type 2.22 + ssh-keygen -t $type -f /etc/ssh/ssh_host_${type}_key -C '' -N '' 2.23 + done 2.24 if active_pidfile $PIDFILE sshd ; then 2.25 _ '%s is already running.' $NAME 2.26 exit 1 2.27 fi 2.28 + if [ -n "$(which iptables)" ] && ! iptables -L | grep 'tcp dpt:ssh ' ; then 2.29 + tcp22new='iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent' 2.30 + $tcp22new --set --name DEFAULT --rsource 2.31 + limit='--seconds 300 --hitcount 5 --name DEFAULT --rsource' 2.32 + $tcp22new --update $limit -j LOG --log-prefix "SSH-Bruteforce : " 2.33 + $tcp22new --update $limit -j DROP 2.34 + fi 2.35 action 'Starting %s: %s...' "$DESC" $NAME 2.36 $DAEMON $OPTIONS 2.37 status