Thursday, December 15, 2011

Cygwin SSHd Autoblock Failed Logins

SkyHi @ Thursday, December 15, 2011
I wrote a program to block IP addresses like you're asking for a couple of years ago, but did it for a Customer as a work-for-hire. Since I ended up with some "spare" time this evening I opted to re-implement the whole thing from the ground up, write some useful documentation, and generally make it a presentable program. Since I've heard from multiple people that this would be a handy thing to have it seems like it's probably worth the time. Hopefully you, and other members of the community, can get some use out of it.

Windows sshd_block

sshd_block is a VBScript program that acts as a WMI event sink to receive Windows Event Log entries logged by sshd. It parses these log entries and acts upon them as follows:
  • If the IP address attempts to logon with a username flagged as "ban immediately" the IP address is banned immediately.
  • If the IP address attempts to logon with more frequently than is allowed in a given time period the IP address is banned.
The "ban immediately" usernames and thresholds associated with repeated logon attempts are configurable in the "Configuration" section of the script. Default settings are as follows:
  • Ban Immediately Usernames - administrator, root, guest
  • Logon attempts allowed - 5 in 120 seconds (2 minutes)
  • Duration of ban - 300 seconds (5 minutes)
Once a second any IP addresses that have been banned for the ban duration are unbanned (by having the black-hole route removed from the routing table).

You can download the software here and can browse the archive here.
As of 2010-01-20 I've updated the code to support using the "Advanced Firewall" on Windows Vista / 2008 / 7 / 2008 R2 to perform black-holding of traffic via creating firewall rules (which is much more in line with the behavior of "fail2ban"). I also added some additional matching strings to catch OpenSSH versions that "invalid user" as opposed to "illegal user".