Recently I was tasked with setting up an SSH daemon that would face the public internet. When doing so it is important to protect it against brute force attacks.
I used this article to figure out which would be the best approach. I started out thinking that the best approach would be to use a firewall. In Solaris that means IP Filter. (‘iptables’ is the word you often see used if the article is about Linux, different beasts but in the end they provide the same result). Of course this approach requires that you have an idea about from which IPs that you will allow connectivity and that this will be fairly static over time.
As it turned out these restrictions did not really fit my use case. So I went further into the article and almost at the end of it I stumbled upon this very simple idea of using TCP Wrappers together with an executable script (
sshblock.sh). The instructions in the article are very precise and I could use it directly on Solaris 11. I suspect the same is true for Solaris 10 although I haven’t tried it. What the article does not say in much detail is what really happens:
- Because of the ‘spawn’ command that you put into
/etc/hosts.allowfile that script will get executed every time somebody tries to connect into the SSH daemon (
sshd). The script is executed with $1 = client’s IP address.
- The script saves information about what IPs have attempted connections together with a timestamp in the
/etc/hosts.allowfile using comment lines. It kinda uses that file as a little database of information.
- It then uses the information it has about past connections from same IP address to block that IP address if the configured limit has been exceeded.
It is important to understand that since the script only gets executed when there’s a connection attempt then there’s no mechanism to whitelist an IP address if no connection attempts occurs. For this reason it is advisable to schedule the script via
cron for example once every two hours. That cron job should use as its argument an IP address that would never be blacklisted, such as 127.0.0.1.
The end result of this is that I have achieved with very simple means a way of blacklisting IP addresses that makes repeated SSH connections over a short amount of time. There’s also a whitelisting functionality build into the script: the default embargo time is 60 minutes (configurable in the script) so after that time an IP address is automatically removed from he blocked list. This requires that the script actually executes once in a while which is why you should schedule it via
In Solaris 11 the TCP Wrappers functionality is enabled by default wrt to SSH Daemon. You do not have to do anything other than what is mentioned in the article. I forgot to make the script executable and could not understand why I did not see any action in
/etc/hosts.allow file but once I did it started working immediately.