Running a public AWS instance is always asking for unexpected trouble from script kiddies and bots trying to find a vector in to compromise your server.
Sshguard (www.sshguard.net) monitors your log and alters your IPtables firewall accordingly to help keep persistent brute force attackers at bay.
1. Download the latest version from http://www.sshguard.net @ http://freshmeat.net/urls/6ff38f7dc039f95efec2859eefe17d3a
wget -O sshguard-1.5.tar.bz2 http://freshmeat.net/urls/6ff38f7dc039f95efec2859eefe17d3a
2. Unpack
tar jxvf sshguard-1.5.tar.bz2
3. Configure + Make
cd sshguard-1.5 ./configure --with-firewall=iptables make
4. Install (to /usr/local/sbin/sshguard)
sudo make install
5. /etc/init.d/sshguard (chmod 0755)
! /bin/sh
# this is a concept, elaborate to your taste
case $1 in
start)
/usr/local/sbin/sshguard -a 4 -b 5:/var/sshguard/blacklist.db -l
/var/log/auth.log &
;;
stop)
killall sshguard
;;
*)
echo "Use start or stop"
exit 1
;;
esac
6. /etc/iptables.up.rules
# Firewall *filter :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INPUT DROP [0:0] -N sshguard -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport http -j ACCEPT -A INPUT -p tcp --dport ftp-data -j ACCEPT -A INPUT -p tcp --dport ftp -j ACCEPT -A INPUT -p tcp --dport ssh -j sshguard -A INPUT -p udp --source-port 53 -d 0/0 -j ACCEPT -A OUTPUT -j ACCEPT -A INPUT -j DROP COMMIT # Completed
7. Read in the IPtables rules
iptables-restore < /etc/iptables.up.rules
8. Start Sshguard
mkdir /var/sshguard&&/etc/init.d/sshguard start
Verification
tail -f /var/log/auth.log
iptables -L -n
