Repost: Installing SSHBlack on MacOS X 10.4

This was originally posted in July 2007 and has been rescued from my old WordPress sql dump file.

Like many Mac OS X users I have punched a hole in my firewall to allow remote ssh access to my home machine.  One day, I was working on my (ancient) computer and noticed there was a pretty heavy spike in CPU usage, as well as incoming network traffic.  After some brief searching, I found I was under an ssh brute force attack.  Now, these attacks are very common to any Internet facing ssh server.   However, given the load my tired old G4 450 is under, I want every cpu cycle I can get.  A quick google search turned up sshblack, a nifty perl script that will look at yoursshd log files and ban attacking IP addresses.  Browsing through the documentation only showed config examples for linux & FreeBSD, but I figured it had to be possible to use this on OS X.  I’ve used Tiger’s built in firewall, ipfw, in the past so I figured that would be included in our block/unblock rules.

After a few minutes I found the magic bullet:

my($ADDRULE) = '/sbin/ipfw add deny all from ipaddress to any';
my($DELRULE) = 'ipfw delete `ipfw show | grep ipaddress | awk \'{ print $1 }\'`'

(The delrule should be all on one line, unfortunately, it is wrapping on my display.  It should copy & paste ok though….)
We also have to change the log to monitor to:

my($LOG) = '/var/log/secure.log';

The included documentation explains the other user parameters of the script.

Next I wanted to get it to launch at startup.  I probably could have just thrown a quick “/usr/local/bin/sshblack28.pl &” entry into /etc/rc.local, but this is OS X, so why not take advantage of Tiger’s launchd?  Using Lingon I was able to create a Launch Daemon to handle the loading at startup very quickly. [Edit: It appears Lingon is no longer free] You can copy plist file below.  (You’ll need to save it to a text file named sshblack.plist and move it to /Library/LaunchDaemons, and you might also need to modify the program arguments string to point to your path to the sshblack file. )

So there it is, my instructions on how to setup sshblack on OS X.  Clear as mud, eh?  The real key is getting the add & delete rules setup properly.  As a disclaimer, its been a while since I actually installed this so my memory may be very fuzzy at this point.  Anyhoo, hopefully this will help *someone* out there…

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
 <key>Label</key>
 <string>sshblack</string>
 <key>ProgramArguments</key>
 <array>
 <string>/usr/local/bin/sshblackv28.pl</string>
 </array>
 <key>RunAtLoad</key>
 <true/>
 <key>ServiceDescription</key>
 <string>Monitors /var/log/secure.log for ssh brute force attacks</string>
</dict>
</plist>
Advertisements
This entry was posted in Mac. Bookmark the permalink.

One Response to Repost: Installing SSHBlack on MacOS X 10.4

  1. Pingback: Quick Note: sshblack updates for OSX 10.6 and China

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s