I'm running Cygwin with an SSH deamon on a Windows Server 2008 machine. I was looking at the Event Viewer and noticed as much as 5 to 6 failed login attempts per second (brute force) for the last week or so, from different IPs.
How can I autoblock these IPs rather than blocking them one by one manually?
Thanks, Ahmad
I wrote a program to block IP addresses like you're asking for a couple of years ago, but did it for a Customer as a work-for-hire. Since I ended up with some "spare" time this evening I opted to re-implement the whole thing from the ground up, write some useful documentation, and generally make it a presentable program. Since I've heard from multiple people that this would be a handy thing to have it seems like it's probably worth the time. Hopefully you, and other members of the community, can get some use out of it.
sshd_block is a VBScript program that acts as a WMI event sink to receive Windows Event Log entries logged by sshd. It parses these log entries and acts upon them as follows:
If the IP address attempts to logon with a username flagged as "ban immediately" the IP address is banned immediately.
If the IP address attempts to logon with more frequently than is allowed in a given time period the IP address is banned.
The "ban immediately" usernames and thresholds associated with repeated logon attempts are configurable in the "Configuration" section of the script. Default settings are as follows:
Once a second any IP addresses that have been banned for the ban duration are unbanned (by having the black-hole route removed from the routing table).
You can download the software here and can browse the archive here.
Edit:
As of 2010-01-20 I've updated the code to support using the "Advanced Firewall" on Windows Vista / 2008 / 7 / 2008 R2 to perform black-holding of traffic via creating firewall rules (which is much more in line with the behavior of "fail2ban"). I also added some additional matching strings to catch OpenSSH versions that "invalid user" as opposed to "illegal user".
On Linux denyhosts does the trick, cant tell you whether it will work on Windows / Cygwin or not. Give it a try.
This one is very interesting, we are currently evaluating this solution:
Syspeace works closely with Windows in order to detect possible threats at a optimal performance. Events in the event log are continuously monitored for any suspect behavior. If an event is deemed as a threat to the system, Syspeace proceeds to the next level by checking against an internal rule base which simply blocks the IP adress and adds the rule to the Windows firewall.
Local Whitelist
A user can always add IP addresses to the Local Whitelist to, for example, prevent the blocking of any internal networks or temporarily add single PCs. This should be used with caution as any IPs in this list are deemed trustworthy by Syspeace and will always be ignored.
Local Blacklist
Any threats will be added to the Local Blacklist automatically by Syspeace. You can always review the blacklist and add or remove them as you see fit. We recommended however, that you do not make any changes to this list as you could accidentally pave way for an unknown hacker.
Global Blacklist
A key feature of Syspeace is the ability to block known globally blacklisted IP addresses preemptively. By choosing this option, Syspeace will import the Global Blacklist onto your client and act accordingly, adding all globally blacklisted IP addresses to the firewall ruleset at the push of a button.
Messaging
Whenever an important event takes place, the service is started or stopped, rules are placed in or removed from the firewall or the communication status to the central license and global blacklist server is changed, Syspeace has the ability to send mail to the appropiate people in your organisation.
Reports
Getting emails when important event happens may be good but sometimes you would also like to get a summary. Syspeace compiles a daily report with all attack attempts on your system and sends you a message with the information. Syspeace also compiles a weekly report in the same way.
www.syspeace.com
Literally all of the login attempts from China/US/India on my server try the Administrator login, which I've disabled.
Wouldn't it be easier to disable the Admin login and then write a script that blocks all IP addresses that attempt to login using "Administrator" as the username?
You might need to mess with the Windows firewall; Cygwin wouldn't have this type of functionality.
You could consider using SSHBlock -- a Perl script for controlling brute force attempts.
SSHBlock is a daemon to monitor a syslog log for break-in attempts using SSH, and to automatically block bad hosts by adding lines to /etc/hosts.allow (TCP Wrappers). Several thresholds are pre-defined, to be able to block those trying many attempts within a longer or shorter period. Use -h to see command line options.
I have never used it on Cygwin yet.
However here is a link to another article describing sshblock with some other ways:
Defending against brute force ssh attacks
To all who ask for RDP (or other non-SSH port) blocking: I recommend to do anything through ssh-tunnels!
E.g. for RDP (with standard ports for RDP and SSH), on the client machine open a console and start this command (works well with PuTTY too):
ssh -L33890:<SERVER-MACHINE-NAME>:3389 -x -o <USER>@<SERVER-MACHINE-IP> sleep 100
Then you have 100 seconds to open a RDP connection to this address:
localhost:33890
(where 33890 could be any non-used port number < 65535, but it has to be the same in both places of course)
On all of the computers that I administrate there is (usually) only a SSH-Port open.
