Blocking SSH Bots

/
0 Comments
This is my 2nd year academic project.time duration is 7 week.I have only 1 week to finish this.but 90% finished now.I'm willing to tell you the brief introduction  about this project.the title is Blocking ssh bots.

The secure shell ssh is a service that is used remotely login to unix-like systems. Attackers use bots to attempt brute-force logins on unix servers running ssh.The proliferation of these botnets targeting the ssh service poses a security to unix servers. Build a system todetect, block and, analyse ssh botnet attacks on servers.

I made a simple tool that detects brute-force attempts by analysing the ssh server logs. Typically, a large number of (failed) login attempts from same ip address indicates a bot.Once a bot is detected it can be blocked by adding a (dynamic) firewall. Periodically, these blocks must be used to save memory and,

prevent permanently locking out a particular ip.

after that i implement below extensions.
1.If the number of attacks originating from a subnet exceeds a given threshold, block the entire subnet. Subnet block rules should be expired faster than individual ip block rules.

2.Visualise the botnet activity using Google maps . using GeoIP database to map an ip to its
geographical location.
each sever has a unique format.i did this for our university sever.still trying to do for any sever.if i can implement this for do that definitely i'm willing to show you that.
I'm really confused with blocking a subnet which is a large number of (failed) login attempts.looking for extend my code to do that i have to get a subnet mask of a ip address.because that including the whole IP address'which are coming from the same area.In order to do that I wanted to use a sever.
http://cisconet.com/route-server/world_map.html
it was help me to find a sever.then i used command prompt to get a subnet mask of a IP address. i used route-server.ip-plus.net as my sever.

>>telnet route-server.ip-plus.net
*** Swisscom IP+ route server (AS3303) ***
RS_AS3303>show ip bgp 123.132.123.4
BGP routing table entry for 123.128.0.0/13, version 78278792
BGP Bestpath: deterministic-med
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 2
  (65000) 3320 701 4837, (aggregated by 4837 219.158.1.45)
    164.128.32.11 from 164.128.32.11 (138.187.128.158)
      Origin IGP, metric 601000, localpref 300, valid, confed-internal, atomic-a
ggregate, best
      Community: 3303:3006 3303:3067 3320:1840 3320:2020 3320:9020


highlighted  is the subnet mask.i was confused about how do i do this using java.
http://twit88.com/blog/2007/12/22/java-writing-an-automated-telnet-client/
above link was very helpful for me to face above problem.this is the way how i did the subnet part.
implemented code is here.
https://github.com/tharinda221/BlockingBots/

I created a simple GUI to present my project.
that is here
https://github.com/tharinda221/BotsInt

you can use this code for your sever.but you have to change the regular expression for matching your log file.

thank you.


You may also like

No comments :

Powered by Blogger.