sshd_block.vbs - Blocks IP addresses generating invalid SSH logons Copyright 2009 Wellbury LLC - See LICENSE for license information Release 20090721 - Initial public release Release 20100120 - Cleanup of README file, added Advanced Firewall support, added support for "Invalid user" strings in sshd messages, tested on Windows 7 x64 For support, please contact Evan Anderson at Wellbury LLC EAnderson@wellbury.com, (866) 569-9799, ext 801 If you like this program please drop me an email. If you have any ideas for enhancements or find a bug, I'd love to hear about that too. Overview ======== sshd_block is a VBScript program that acts as a WMI event sink to receive Windows Event Log entries logged by sshd. It parses these log entries and acts upon them as follows: - If the IP address attempts to logon with a username flagged as "ban immediately" the IP address is banned immediately. - If the IP address attempts to logon with more frequently than is allowed in a given time period the IP address is banned. The "ban immediately" usernames and thresholds associated with repeated logon attempts are configurable in the "Configuration" section of the script. Default settings are as follows: Ban Immediately Usernames - administrator, root, guest Logon attempts allowed - 5 in 120 seconds (2 minutes) Duration of ban - 300 seconds (5 minutes) The configuration variables for these values are reasonably self-explanatory. Additional variables to enable/disable debugging and event log usage are also present and self-explanatory. Once per second any IP addresses that have remained banned for their assigned ban duration are unbanned (by either having the black-hole route removed from the routing table or having the firewall rule black-holing that IP removed). Pre-Requisite Computer Configuration ==================================== For Windows 2000, XP, and 2003 it is necessary that a network interface with a static IP address assigned and no default gateway specified be present on the server computer. A physical hardware device is not necessary as the Microsoft Loopback Adapter serves the purposes of this application. Details about installing the Microsoft Loopback Adapter are available at the following locations: - For Windows 2000 and Windows XP: http://msdn.microsoft.com/en-us/library/aa934256.aspx - For Windows Server 2003: http://support.microsoft.com/kb/842561 After you have installed the Microsoft Loopback Adapter (or chosen an unused physical hardware NIC), specify a static IP address and no default gateway in the TCP/IP version 4 properties for the adapter. The IP address and subnet mask assigned to this adapter should not match any network in use in your enterprise and should be in the RFC 1918 space. For Windows Vista, 2008, 7, and 2008 R2 the "Advanced Firewall" is used to create inbound firewall rules blocking traffic from the banned host. On these operating systems no special configuration of network adapters is necessary. Script Testing ============== Some (all?) OpenSSH distributions do not provide an "Event Message File" and, as such, the events generated by sshd appear in the Windows Event Log with descriptions similar to: The description for Event ID ( 0 ) in Source ( OpenSSHd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: sshd : PID 376 : sshd : PID 3664 : Did not receive identification string from 127.0.0.1 It is necessary for an event message file to be installed for sshd_block to function properly. sshd_block will check for an event message file for source "sshd" to be present and will fail if it is not. An event message file (sshd_messages.dll) and installation script are provided with sshd_block. To install the event message file, copy it to the desired location (%ProgramFiles%\OpenSSH\bin, %SystemDrive%\cygwin\usr\sbin, etc) and execute the provided register_sshd_messages.cmd script. The register_sshd_messages.cmd script will check for the presence of the sshd_messages.dll file in the specified path and the presence of an already-installed event message file for sshd and will fail if the DLL is not present in the path specified or if an event message file is already specified. After the event message file is installed, it is recommended that you copy the sshd_block.vbs script to your desired location, modify the configuration parameters if you are unsatisfied with the defaults, and execute the script either. It is recommended that you execute the script using the CSCRIPT.EXE utility, but it is possible to execute the script using WSCRIPT.EXE via double-clicking on the script file in Windows Explorer. Be aware that, should debugging be enabled, execution is only effectively possible through CSCRIPT.EXE because message logging to pop-up dialogs will "stall" the script until the dialogs are dismissed. Test the functionality of the script by performing both invalid logons using both a "ban immediately" account and attempting repeated logons with a valid or invalid account that is not in the "ban immediately" list. Banning and unbanning events will be logged in the Application event log. (It is recommended that you perform your tests via a remote control mechanism such that you do not lose communication with the server computer during testing.) Windows Service Installation ============================ A binary copy of the public domain "Non-Sucking Service Manager" (nssm, available from http://iain.cx/src/nssm/) is included with sshd_block to facilitate installation as a Windows service. The Microsoft SRVANY tool may also be used to run sshd_block as a Windows Service. If you choose to use nssm, copy the nssm.exe file to the location of your choice (typically %ProgramFiles%\OpenSSH\bin). After you are satisfied with the performance of the script in testing and have copied nssm.exe to the desired location, install the script as a Windows service using the following command-line (from the directory where nssm was installed): nssm install sshd_block %SystemRoot%\System32\cscript.exe "\"%ProgramFiles%\OpenSSH\bin\sshd_block.vbs\"" The command is depicted as two lines above but should be entered on a single line. It is necessary to enter the "\" characters as depicted such that the resulting registry entry is surrounded by double quotes. This command will create a service set to start automatically. (If your sshd_block.vbs is stored in a path w/o spaces then you don't need to go through those gyrations.) After installing the service start it and verify that it functions properly. External Dependencies ===================== The following external programs are required to be in the PATH for the user context under which ssdh_block is executing: ROUTE.EXE - For black-hole routing banned IP addresses under Windows XP NETSH.EXE - For creating Advanced Firewall rules on Windows Vista and later versions of Windows EVENTCREATE.EXE - For writing to the event log (only if event logging is enabled) Performance and Security ======================== A simple and fairly non-scientific stress test function is included in the script (and disabled by default). Testing with the parameters listed in the script (but with the BAN_DURATION decreased from the default to 60 seconds) on a Windows XP Professional 32-bit SP3 machine resulted in maximum memory usage of 6,736KB. As the banned queue drained at the end of the test, the memory usage decreased. On the face of it, it would appear that the script can handle at least thousands of unique IP addresses being banned at a rate of one IP address every 10 to 50ms with no major issues. Parameters passed to calls to external programs for creating Windows Event Log entries or altering IP routes are sanitized through a regular expression match (allowing only the characters 0-9, a-z, A-Z, and period, underscore, space, right-leaning slash, colon, and minus). Future Roadmap ============== Future enhancement possibilities include: - Loading values for all configuration parameters from the registry. - Packaging for installation as a Windows installer package