tb-sshdfilter - Stop ssh Break-in Attempts - Free Download
If you study the logfiles of nearly any Linux system exposed to the Internet you will often see hundreds or even thousands of break-in attempts each week. Wouldn't you rather block these attempts quickly and silently, restricting the offender from having any further contact with your system?
Here's how we believe this process should work:
- Hacker attempts to break-in via ssh
- Software detects break-in and logs IP Address of hacker
- Software inserts hacker's IP address into new firewall rule, blocking all TCP/IP packets originating from hacker's IP address - hacker can not make any further contact with our server from the blocked IP address
- (Future Improvement) Hacker's blocked IP address is shared with other servers to also protect them from break-in attempts
- Software expires rule blocking hacker's IP address after pre-determined time period
An existing program, sshdfilter, attempts to solve this problem. True Blade partner Eric V. Smith studied sshdfilter and determined that a new solution was required to address the requirements of our clients. tb-sshdfilter is a new program, written in Python, which attempts to provide a more flexible and robust solution. The following table explains why we believe tb-sshdfilter is a superior program.
Comparison of tb-sshdfilter and sshdfilter 1.3.5
|Feature / attribute
|Author & Contact Information||Eric V. Smith,
True Blade Systems, Inc.
greg at csc liv ac uk
|Difficulty to Change sshd Parsing Trigger Keywords
(in separate config file)
(requires script change)
|Supports Listening on Alternate TCP Ports
(not just port 22)
|Separate init.d from sshd
Permits simultaneous operation and testing
of sshd and filtering program
|iptables logic separate from sshd output parser
Allows rules to be stored in a database
|Programming Language Used
|First Release Date
||October 12, 2005
||June 5, 2005
Newer versions of sshdfilter address some of these differences.
How tb-sshdfilter Works
tb-sshdfilter monitors the output of sshd for unauthorized login attempts and automatically blocks offending IP addresses from being able to make further attempts.
We have prepared a PDF file with more information about tb-sshdfilter.
tb-sshdfilter is being released to the general public by True Blade Systems, Inc. under the GNU Public License (GPL). There is no charge to use the software but we do ask that you give us feedback about your experiences with tb-sshdfilter after you have it up and running.
tb-sshdfilter was first demonstrated to the public at the Columbia, Maryland Linux User's Group on October 12, 2005.
Download tb-sshdfilter version 1.1.
Note: Please contact us to tell us how you are using tb-sshd-filter. Registered tb-sshdfilter users are allowed to contribute to ongoing dialog and commentary and will receive priority notification of all improvements and updates.
tb-sshdfilter Release History
Registration is no longer required to download tb-sshdfilter. However, users are strongly encouraged to contact us to tell us how you are using tb-sshdfilter - thanks!
- 2006-02-10 version 1.1
Users must register on True Blade's website to download the tb-sshdfilter software. tb-sshdfilter remains free and GPL licensed, but anonymous downloads are no longer permitted.
2005-10-14 version 1.1
Added code to detect if sshd and iptables executables (as configured) exist and are executable.
2005-10-12 version 1.0