DenyHosts knock off for Windows 7

9 posts / 0 new
Last post
caller9
Offline
Last seen: 10 years 1 month ago
Joined: 10.10.2009 - 23:04
DenyHosts knock off for Windows 7

I wrote a handy little script to be a low budget version of DenyHosts.

You have to create a firewall rule in Windows (only tested with Win 7) that blocks access to your OpenSSH port TCP 22. Make this rule a higher priority than the allow rule. It did this automatically for me, YMMV. I don't see an option to manually set priority, but didn't need it so I didn't look too hard.

Edit the denyhosts.vbs to give it the name of the rule you created. READ the comments in the code there.

http://www.box.net/shared/gti25g27lf

Set it up to run via scheduled tasks as an admin.

No warranty, use at your own risk, read the code before you execute, trust no one including me, etc.

This isn't an elegant solution, it's a hack I put together that works for me. I decided to share it for free and GPL so be gentle on criticism. It's a vbscript I slapped together this afternoon.

What it does:

  • Read Application log for "sshd" events.
  • Parse event to find auth failures.
  • Log all sshd events to text file.
  • If auth failures exceed set limit, ban IP via windows firewall.
  • Optionally immediately ban failed "root" attempts.
  • Store failed attempts that did not exceed limit (yet).
  • Add to log txt file.
  • Clear counter for an IP with an eventual successful login.
  • Store time stamp of last event to prevent re-reading old entries.

To remove IPs you would need to edit the code, or manually edit the firewall rule via Windows GUI.

If somebody wants to rewrite this to use hosts.deny, that would have the same effect. The advantage here is that you can potentially block access to more than just ssh running on your windows box. Just depends on the scope of the block rule.

itefix
Offline
Last seen: 3 hours 31 min ago
Joined: 01.05.2008 - 21:33
Thanks for your contribution

Thanks for your contribution :-)

sbleon
Offline
Last seen: 9 years 3 months ago
Joined: 20.11.2009 - 17:05
Thanks, caller9!

caller9, this is awesome! I've been looking for a solution to this problem for a few months. I've been really worried about brute-force attacks on my CopSSH server, and this script works like a charm on my Server 2008 box! I've got it set to run every time an event with ID 4625 is logged to the Security log from the "Microsoft Windows security auditing" service.

I'd like to note for other users that you'll need to go into the "Windows Firewall with Advanced Security" interface to create a Block rule. You can't do it from the normal Windows Firewall interface.

The one feature that I think I need to add is eventual removal of blocked IPs. I typically only block IPs for a short amount of time so that people who screw up entering their password can have another chance. I'm also concerned about the length of the block list if nothing is ever removed from it. I think we can probably come up with a solution to remove the blocked IPs, but I was wondering if you had spent any time thinking about such a feature.

I'd probably implement it by adding a separate "IPs to unblock" log to your VBS file, then writing a separate script that scans that log periodically and removes any IPs who have "served their time".

Thanks again, and let me know if you have any thoughts on this issue!

ciove
ciove's picture
Offline
Last seen: 9 years 1 month ago
Joined: 30.10.2009 - 12:24
My hosts.allow

Hi all,

I did similar task which checks the application log for this kind of SSHD event: "Invalid user [fakeusername] from [hackers_ipaddress]" . If event count from same IP address is more than eight , the task adds deny rule for the [hackers_ipaddress] in to etc/hosts.allow -file.

To be on the safe side, I've manually checked all the addresses in the list below with http://en.utrace.de/, the Chinese and Brasilian addresses are in the lead, but some are from U.S.A and Europe too.

I've been running the task for six months now and the hacking is pretty much over.  Here's the etc/hosts.allow -file my task has compiled:

--------------------------------------------------------------------------------
# etc/hosts.allow
# To block an address, use rule "ALL: [IP-ADDRESS]: DENY
# For example (without the #):
# ALL: 10.2.2.12: DENY
#
# THE LAST ROW MUST BE (again without the #):
# ALL: ALL: ALLOW

ALL: 203.250.135.138: DENY
ALL: 212.121.233.157: DENY
ALL: 221.194.128.66: DENY
ALL: 121.254.228.21: DENY
ALL: 144.16.70.65: DENY
ALL: 62.14.231.58: DENY
ALL: 195.13.58.200: DENY
ALL: 211.157.122.142: DENY
ALL: 218.189.90.12: DENY
ALL: 93.186.192.46: DENY
ALL: 213.155.29.42: DENY
ALL: 220.225.8.154: DENY
ALL: 213.21.86.184: DENY
ALL: 209.250.234.146: DENY
ALL: 61.136.188.83: DENY
ALL: 61.189.16.37: DENY
ALL: 61.185.55.130: DENY
ALL: 134.95.115.28: DENY
ALL: 61.158.205.231: DENY
ALL: 121.52.214.105: DENY
ALL: 211.48.12.223: DENY
ALL: 63.246.201.147: DENY
ALL: 93.188.112.30: DENY
ALL: 210.38.137.82: DENY
ALL: 202.75.216.92: DENY
ALL: 77.245.148.196: DENY
ALL: 221.11.130.5: DENY
ALL: 216.25.240.87: DENY
ALL: 118.216.89.250: DENY
ALL: 221.130.195.209: DENY
ALL: 195.128.253.12: DENY
ALL: 213.179.160.66: DENY
ALL: 124.139.121.10: DENY
ALL: 24.93.61.187: DENY
ALL: 124.42.62.248: DENY
ALL: 222.73.163.151: DENY
ALL: 196.3.84.218: DENY
ALL: 88.191.50.219: DENY
ALL: 59.103.0.133: DENY
ALL: 89.35.205.206: DENY
ALL: 61.129.60.23: DENY
ALL: 195.70.36.239: DENY
ALL: 217.174.180.33: DENY
ALL: 82.99.25.78: DENY
ALL: 74.63.64.85: DENY
ALL: 58.248.240.230: DENY
ALL: 222.66.20.180: DENY
ALL: 85.223.208.109: DENY
ALL: 222.91.73.2: DENY
ALL: 210.51.171.74: DENY
ALL: 187.141.13.251: DENY
ALL: 121.58.209.59: DENY
ALL: 118.213.88.16: DENY
ALL: 118.129.166.149: DENY
ALL: 60.216.12.171: DENY
ALL: 69.162.125.26: DENY
ALL: 92.46.175.181: DENY
ALL: 78.143.48.51: DENY
ALL: 85.10.128.141: DENY
ALL: 203.116.18.173: DENY
ALL: 211.38.137.44: DENY
ALL: 206.128.81.79: DENY
ALL: 125.141.233.22: DENY
ALL: 98.203.147.65: DENY
ALL: 64.34.178.37: DENY
ALL: 201.0.145.106: DENY
ALL: 207.111.172.36: DENY
ALL: 119.1.193.205: DENY
ALL: 219.84.193.41: DENY
ALL: 200.20.215.131: DENY
ALL: 89.190.193.29: DENY
ALL: 208.94.175.182: DENY
ALL: 85.115.100.144: DENY
ALL: 88.191.67.59: DENY
ALL: 118.129.166.120: DENY
ALL: 66.60.99.115: DENY
ALL: 122.252.1.23: DENY
ALL: 59.173.21.94: DENY
ALL: 121.14.144.217: DENY
ALL: 210.83.79.69: DENY
ALL: 156.34.98.10: DENY
ALL: 202.96.136.162: DENY
ALL: 58.120.227.235: DENY
ALL: 64.19.76.70: DENY
ALL: 117.41.168.92: DENY
ALL: 201.6.106.248: DENY
ALL: 72.52.198.141: DENY
ALL: 70.85.191.122: DENY
ALL: 216.131.96.185: DENY
ALL: 202.99.122.230: DENY
ALL: 122.200.82.162: DENY
ALL: 121.14.144.197: DENY
ALL: 202.106.124.227: DENY
ALL: 121.254.228.13: DENY
ALL: 97.107.136.241: DENY
ALL: 82.221.40.67: DENY
ALL: 212.199.161.155: DENY
ALL: 67.225.232.8: DENY
ALL: 211.157.102.228: DENY
ALL: 218.108.10.46: DENY
ALL: 125.89.77.101: DENY
ALL: 202.95.230.4: DENY
ALL: 219.141.174.148: DENY
ALL: 173.15.79.203: DENY
ALL: 88.191.62.239: DENY
ALL: 81.19.234.103: DENY
ALL: 122.160.240.133: DENY
ALL: 96.57.129.92: DENY
ALL: 207.111.172.4: DENY
ALL: 89.106.17.98: DENY
ALL: 80.48.178.2: DENY
ALL: 144.190.42.72: DENY
ALL: 59.37.54.47: DENY
ALL: 211.103.30.244: DENY
ALL: 125.210.34.233: DENY
ALL: 218.77.120.141: DENY
ALL: 61.139.33.207: DENY
ALL: 60.191.2.228: DENY
ALL: 203.171.227.177: DENY
ALL: 190.18.89.159: DENY
ALL: 163.178.105.175: DENY
ALL: 218.87.32.224: DENY
ALL: 222.218.142.194: DENY
ALL: 121.190.121.136: DENY
ALL: 210.245.81.5: DENY
ALL: 119.147.105.180: DENY
ALL: 58.30.232.39: DENY
ALL: 74.63.193.230: DENY
ALL: 65.19.234.227: DENY
ALL: 194.50.101.151: DENY
ALL: 121.14.38.200: DENY
ALL: 195.19.173.238: DENY
ALL: 93.92.47.25: DENY
ALL: 209.62.69.114: DENY
ALL: 94.137.254.29: DENY
ALL: 210.181.96.39: DENY
ALL: 203.157.15.3: DENY
ALL: 94.75.250.7: DENY
ALL: 61.84.138.57: DENY
ALL: ALL: ALLOW
--------------------------------------------------------------------------------

sbleon
Offline
Last seen: 9 years 3 months ago
Joined: 20.11.2009 - 17:05
New "package" with documentation and script to unblock IPs

Folks, I've added a little bit of functionality to this tool. There's now another script to clear out the list of blocked IPs. You can run it periodically to keep the list of blocked IPs from getting really long, and to give legitimate users (who've just fat-fingered their password a few times) another chance.

I've also added some documentation, but I can't say I've spent much time on it.

You can download the "package" from:

http://www.singlebrook.com/downloads/SSHBruteBlocker.zip

Thanks again to caller9 for the great script!

caller9
Offline
Last seen: 10 years 1 month ago
Joined: 10.10.2009 - 23:04
Cool work sbleon

Thanks for the assist.

There is a reset of the failed login counter for an IP if it ever logs in successfully without exceeding  the limit. After that point, I don't have many legitimate users so if they get blocked its permanent until undone manually. So far I haven't had to undo any.

As you mentioned, that would be an annoying administration problem for a large user base. Also for the unattended server it would make sense to self purge on occasion to trim the list. 

Thanks again for the contrib.

kazy
Offline
Last seen: 10 years 1 month ago
Joined: 16.10.2009 - 15:20
question !

hi Caller9 !

 

Thx for your script :)

this mean that you have successfully run COPSSH 3.0.2 on a windows 7 OS ...

I have some trouble to run COPSSH on my windows 7

System error 1069 : The service did not start due to  a  logon failure

 

Have you encounter this problem, please ?

see : http://www.itefix.no/i2/node/12067

caller9
Offline
Last seen: 10 years 1 month ago
Joined: 10.10.2009 - 23:04
Actually 3.0.0

I'm running 3.0.0. Not 3.0.2. One user in the thread you linked mentioned a full uninstall/reinstall was required. Other than that, make sure that the copssh service account has the correct password I guess.

 

dgleich
Offline
Last seen: 9 years 3 months ago
Joined: 26.09.2010 - 23:02
Instructions

Hey all, I had some small troubles getting these scripts to work.  I posted up a somewhat detailed list of instructions at:

https://dgleich.wordpress.com/2010/09/26/denyhosts-for-windows/

 

The biggest issue was that the rule.RemoteAddresses was equal to "*" when I created the default rule.  This broke the append operation, and thus the script did not work out of the box.  I just used the simple fix to check if it was longer than 1 :-), which is wrong, but didn't involve looking up string comparison in vbscript.

Also, I had problems with the "scheduled tasks/Administrator" option.  It seems you have to use the "Administrators" group instead of the "Administrator" account.