# HG changeset patch # User Pascal Bellard # Date 1505641365 -7200 # Node ID 6a8b83dd1456161373cade81a8b0f44b68c5089b # Parent d8d9abb5377fb4a519ffda8eb2afab1016183ae0 openssh, dropbear: may filter brute force attacks diff -r d8d9abb5377f -r 6a8b83dd1456 dropbear/stuff/init.d/dropbear --- a/dropbear/stuff/init.d/dropbear Sat Sep 16 18:27:52 2017 +0200 +++ b/dropbear/stuff/init.d/dropbear Sun Sep 17 11:42:45 2017 +0200 @@ -17,31 +17,25 @@ case "$1" in start) # We need rsa and dss host key file to start dropbear. - if [ ! -s /etc/dropbear/dropbear_rsa_host_key ] ; then - action 'Generating Dropbear %s key...' RSA - # Need to delete key before creating it. - rm -f /etc/dropbear/dropbear_rsa_host_key - dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key >/dev/null 2>&1 - status - fi - if [ ! -s /etc/dropbear/dropbear_dss_host_key ] ; then - action 'Generating Dropbear %s key...' DSS - # Need to delete key before creating it. - rm -f /etc/dropbear/dropbear_dss_host_key - dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key >/dev/null 2>&1 - status - fi - if [ ! -s /etc/dropbear/dropbear_ecdsa_host_key ] ; then - action 'Generating Dropbear %s key...' ECDSA - # Need to delete key before creating it. - rm -f /etc/dropbear/dropbear_ecdsa_host_key - dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key >/dev/null 2>&1 - status - fi + for type in rsa dss ecdsa ; do + [ -f /etc/dropbear/dropbear_${type}_host_key ] && continue + action 'Generating Dropbear %s key... ' $type + # Need to delete key before creating it. + rm -f /etc/dropbear/dropbear_${type}_host_key + dropbearkey -t $type /etc/dropbear/dropbear_${type}_host_key >/dev/null 2>&1 + status + done if active_pidfile $PIDFILE dropbear ; then _ '%s is already running.' $NAME exit 1 fi + if [ -n "$(which iptables)" ] && ! iptables -L | grep 'tcp dpt:ssh ' ; then + tcp22new='iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent' + $tcp22new --set --name DEFAULT --rsource + limit='--seconds 300 --hitcount 5 --name DEFAULT --rsource' + $tcp22new --update $limit -j LOG --log-prefix "SSH-Bruteforce : " + $tcp22new --update $limit -j DROP + fi action 'Starting %s: %s...' "$DESC" $NAME $DAEMON $OPTIONS status diff -r d8d9abb5377f -r 6a8b83dd1456 openssh/stuff/openssh --- a/openssh/stuff/openssh Sat Sep 16 18:27:52 2017 +0200 +++ b/openssh/stuff/openssh Sun Sep 17 11:42:45 2017 +0200 @@ -19,22 +19,22 @@ case "$1" in start) # We need rsa and dsa host key file to start dropbear. - if [ ! -f /etc/ssh/ssh_host_rsa_key ] ; then - _ 'Generating OpenSSH %s key... ' rsa - ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' - fi - if [ ! -f /etc/ssh/ssh_host_dsa_key ] ; then - _ 'Generating OpenSSH %s key... ' dsa - ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N '' - fi - if [ ! -f /etc/ssh/ssh_host_ecdsa_key ] ; then - _ 'Generating OpenSSH %s key... ' ecdsa - ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C '' -N '' - fi + for type in rsa dsa ecdsa ; do + [ -f /etc/ssh/ssh_host_${type}_key ] && continue + _ 'Generating OpenSSH %s key... ' $type + ssh-keygen -t $type -f /etc/ssh/ssh_host_${type}_key -C '' -N '' + done if active_pidfile $PIDFILE sshd ; then _ '%s is already running.' $NAME exit 1 fi + if [ -n "$(which iptables)" ] && ! iptables -L | grep 'tcp dpt:ssh ' ; then + tcp22new='iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent' + $tcp22new --set --name DEFAULT --rsource + limit='--seconds 300 --hitcount 5 --name DEFAULT --rsource' + $tcp22new --update $limit -j LOG --log-prefix "SSH-Bruteforce : " + $tcp22new --update $limit -j DROP + fi action 'Starting %s: %s...' "$DESC" $NAME $DAEMON $OPTIONS status