Cygwin SSHd Autoblock Failed Logins

Solution 1:

I wrote a program to block IP addresses like you're asking for a couple of years ago, but did it for a Customer as a work-for-hire. Since I ended up with some "spare" time this evening I opted to re-implement the whole thing from the ground up, write some useful documentation, and generally make it a presentable program. Since I've heard from multiple people that this would be a handy thing to have it seems like it's probably worth the time. Hopefully you, and other members of the community, can get some use out of it.


Windows sshd_block

sshd_block is a VBScript program that acts as a WMI event sink to receive Windows Event Log entries logged by sshd. It parses these log entries and acts upon them as follows:

  • If the IP address attempts to logon with a username flagged as "ban immediately" the IP address is banned immediately.

  • If the IP address attempts to logon with more frequently than is allowed in a given time period the IP address is banned.

The "ban immediately" usernames and thresholds associated with repeated logon attempts are configurable in the "Configuration" section of the script. Default settings are as follows:

  • Ban Immediately Usernames - administrator, root, guest
  • Logon attempts allowed - 5 in 120 seconds (2 minutes)
  • Duration of ban - 300 seconds (5 minutes)

Once a second any IP addresses that have been banned for the ban duration are unbanned (by having the black-hole route removed from the routing table).


You can download the software here and can browse the archive here.

Edit:

As of 2010-01-20 I've updated the code to support using the "Advanced Firewall" on Windows Vista / 2008 / 7 / 2008 R2 to perform black-holding of traffic via creating firewall rules (which is much more in line with the behavior of "fail2ban"). I also added some additional matching strings to catch OpenSSH versions that "invalid user" as opposed to "illegal user".

Solution 2:

On Linux denyhosts does the trick, cant tell you whether it will work on Windows / Cygwin or not. Give it a try.


Solution 3:

This one is very interesting, we are currently evaluating this solution:

Syspeace works closely with Windows in order to detect possible threats at a optimal performance. Events in the event log are continuously monitored for any suspect behavior. If an event is deemed as a threat to the system, Syspeace proceeds to the next level by checking against an internal rule base which simply blocks the IP adress and adds the rule to the Windows firewall.

Local Whitelist

A user can always add IP addresses to the Local Whitelist to, for example, prevent the blocking of any internal networks or temporarily add single PCs. This should be used with caution as any IPs in this list are deemed trustworthy by Syspeace and will always be ignored.

Local Blacklist

Any threats will be added to the Local Blacklist automatically by Syspeace. You can always review the blacklist and add or remove them as you see fit. We recommended however, that you do not make any changes to this list as you could accidentally pave way for an unknown hacker.

Global Blacklist

A key feature of Syspeace is the ability to block known globally blacklisted IP addresses preemptively. By choosing this option, Syspeace will import the Global Blacklist onto your client and act accordingly, adding all globally blacklisted IP addresses to the firewall ruleset at the push of a button.

Messaging

Whenever an important event takes place, the service is started or stopped, rules are placed in or removed from the firewall or the communication status to the central license and global blacklist server is changed, Syspeace has the ability to send mail to the appropiate people in your organisation.

Reports

Getting emails when important event happens may be good but sometimes you would also like to get a summary. Syspeace compiles a daily report with all attack attempts on your system and sends you a message with the information. Syspeace also compiles a weekly report in the same way.

www.syspeace.com


Solution 4:

Literally all of the login attempts from China/US/India on my server try the Administrator login, which I've disabled.

Wouldn't it be easier to disable the Admin login and then write a script that blocks all IP addresses that attempt to login using "Administrator" as the username?