This topic talking about alternative way to "Detect and Prevent ssh brute force"
for Linux Server with logstash ipset and iptables on CentOS7
First Step: Create Preventive Mechanism
Create a preventive mechanism with iptable and ipset for blocking an attack source
with brute force's source ip.
install and config ipset:
yum -y install ipset
ipset create block hash:ip
config iptables rule:
iptables -A INPUT -p tcp -m set --match-set block src -j DROP
Second Step: Create Detection Mechanism
Install and config Logstash for analyze sshd log (/var/log/secure) to identify
source ip address of ssh brute force
enable logstash on boot:
systemctl enable logstash
config logstash: copy this configuration and replace in to file "/etc/logstash/conf.d/logstash"
input{
file{
path => ["/var/log/secure"]
}
}
output{
#push output to file
file {path => "/var/log/blacklist"}
# stdout { codec => json_lines }
}
filter{
grok {
match => ["message","%{MONTH:month}(?: | )%{MONTHDAY:day} %{TIME:time} %{WORD} %
{WORD:prog}\[%{DATA}: %{DATA:detail}(?: logname=(?:%{WORD:logname}|)|)(?: uid=(?:%{WORD:uid}|)|)(?: euid=(?:%{WORD:euid}|)|)(?: tty=(?:%{WORD:tty}|)|)(?: ruser=(?:%{WORD:ruser}|)|) rhost=%{IP:remoteIP}(?: user=%{DATA:remoteUser}|)"]
remove_field => ["message"]
}
#drop event if remoteIP is missing.
if ![remoteIP] {
drop { }
}
# block remoteIP when authentication fail 3 time.
throttle {
before_count => 0
after_count => 3
period => 30
key => "%{remoteIP}"
add_field => { "block" => "true"}
}
if [remoteIP] and [block] == "true"{
ruby {
code => "
`/usr/sbin/ipset add block #{event['remoteIP']} timeout 86400 `
"
}
}
}
restart logstash service:
systemctl restart logstash
optional : You can send event data form logstash to elasticsearch for long-term analyze
