[arm-allstar] NOTICE for user's with public ssh on port 222

David McGough kb4fxc at inttek.net
Sun Apr 5 22:37:58 EDT 2020 

Hi Tony,

The new code I'm working on doesn't use fail2ban at all. I'll upload some
additional details about this in another post soon---if not tonight, then
early next week. I'm working out the final details of a package.

For now, since it's getting late on the east coast, for the experienced 
admins out there, here is basically what I'm doing.

First, this code uses the iptables ipset capabilites. So, you need to 
install ipset:

pacman -Sy ipset 


.....add an ipset:

ipset create sshscan hash:ip family inet hashsize 131072 maxelem 16384 timeout 1200


.....now add add a couple iptables rules:

iptables -A INPUT -p tcp --dport 222 -i eth0 -m set --match-set sshscan src -j SET --exist --add-set sshscan src
iptables -A INPUT -p tcp --dport 222 -i eth0 -m set --match-set sshscan src -j DROP


.....finally, add the /var/log/btmp scanner:

hvutmptail < /var/log/btmp | awk '{print $1; fflush();}' | xargs -t -P3 -n1 ipset add sshscan -!


Here is some preliminary source code for the hvutmptail program:

/////////////////////////////////////////////////////////////////////////////////////////////////////////
// hvutmptail.c   ----   KB4FXC 04/02/2020
// Compile:  gcc -O3 hvutmptail.c -o hvutmptail
#include <stdio.h>
#include <unistd.h>
#include <utmp.h>
#include <arpa/inet.h>

void main(void)
{
	struct utmp entry;
	char ip[64];

	for (;;) {
		while (fread(&entry, sizeof(struct utmp), 1, stdin)) {

			if (entry.ut_addr_v6[1] || entry.ut_addr_v6[2] || entry.ut_addr_v6[3])
				inet_ntop(AF_INET6, entry.ut_addr_v6, ip, sizeof(ip));
			else if (entry.ut_addr_v6[0])
				inet_ntop(AF_INET, entry.ut_addr_v6, ip, sizeof(ip));
			else
				continue;

			fprintf(stdout, "%s\t%ld\t%s\n", ip, entry.ut_tv.tv_sec, entry.ut_user);
		}
		fflush (stdout);
		sleep (1);
	}
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////



73, David KB4FXC


On Sun, 5 Apr 2020, "Tony via ARM-allstar" wrote:

> On 4/5/20 4:44 PM, "David McGough via ARM-allstar" wrote:
> > ... I'll upload a copy of the code I'm using, if you'd like to experiment
> > with it?  This code will get wrapped into a package included in HamVoIP,
> > ultimately.
> 
> Is it essentially a Hamvoip-specific configuration for the fail2ban package?

More information about the ARM-allstar mailing list