DokuWiki

Starting in summer 2009 WPICS started using a distributed ssh attack response. A central syslog host, receiving log data from many machines throughout the department, watches this log information for signs of an SSH attack. When a machine sending log information to this loghost is attacked, the loghost adds the attacker's IP address information to a blacklist which is then exportable to the rest of the department.

In a small number of minutes, the attacking host will be blacklisted from any UNIX machine in the department that takes a copy of the blacklist.

The files for executing this scheme are located on http://csutil1.cs.wpi.edu/ and are:

• [http://csutil1.cs.wpi.edu/updater] the /etc/hosts.deniedssh updating script (requires existence of the “wget” program on the host where it is run). This should be saved as /sbin/update-denyhosts on the machine where it will run, and the file will need to be chmodded, to mode 700 or 500.
• [http://csutil1.cs.wpi.edu/ha] text to be added to the top of the /etc/hosts.allow file on the machine where the blacklist is being used.
• [http://csutil1.cs.wpi.edu/cr] the crontab script, which calls /sbin/update-denyhosts periodically.
• [http://csutil1.cs.wpi.edu/hds] the blacklist. This is the file downloaded by the updater script.

It is important that the machine running the updater and using the blacklist should also run NTPD, so that the updates happen at the correct time. Also the program “NTPTIME” should exist on the machine using this blacklisting technique.