ssh_guard 0.0.1

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.rspec

@@ -0,0 +1 @@
+--color

data/Gemfile

@@ -0,0 +1,14 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+gem 'sequel'
+gem 'sqlite3-ruby'
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "rspec", "~> 2.1.0"
+  gem "bundler", "~> 1.0.0"
+  gem "jeweler", "~> 1.5.1"
+  gem "rcov", ">= 0"
+end

data/Gemfile.lock

@@ -0,0 +1,32 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    diff-lcs (1.1.2)
+    git (1.2.5)
+    jeweler (1.5.1)
+      bundler (~> 1.0.0)
+      git (>= 1.2.5)
+      rake
+    rake (0.8.7)
+    rcov (0.9.9)
+    rspec (2.1.0)
+      rspec-core (~> 2.1.0)
+      rspec-expectations (~> 2.1.0)
+      rspec-mocks (~> 2.1.0)
+    rspec-core (2.1.0)
+    rspec-expectations (2.1.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.1.0)
+    sequel (3.17.0)
+    sqlite3-ruby (1.3.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.0.0)
+  jeweler (~> 1.5.1)
+  rcov
+  rspec (~> 2.1.0)
+  sequel
+  sqlite3-ruby

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Jelle Helsen
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,32 @@
+= SshGuard
+
+SshGuard is guardian angel for ssh. It protects your server from ssh password guessing bots. It scans the log file for ssh errors containing 'Invalid user' of "authentication error". After 10 failed authentications the ip address of the failing host will be blocked by the firewall.
+
+At the moment it only works on Mac OS X. Porting it to other unix based platforms should not be that hard.
+
+== Installation
+
+Installing SshGuard is simple:
+
+  sudo gem install ssh_guard
+
+== TODO
+
+* Create a lauchd plist file
+* Port to other platforms
+
+== Contributing to ssh_guard
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+== Copyright
+
+Copyright (c) 2010 Jelle Helsen. See LICENSE.txt for
+further details.
+

data/Rakefile

@@ -0,0 +1,51 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "ssh_guard"
+  gem.homepage = "http://github.com/jellehelsen/ssh_guard"
+  gem.license = "MIT"
+  gem.summary = %Q{guardian angel for ssh}
+  gem.description = %Q{It protects your server from ssh password guessing bots.}
+  gem.email = "jelle.helsen@hcode.be"
+  gem.authors = ["Jelle Helsen"]
+  gem.executables = %w{ssh_guard}
+  # Include your dependencies below. Runtime dependencies are required when using your gem,
+  # and development dependencies are only needed for development (ie running rake tasks, tests, etc)
+  #  gem.add_runtime_dependency 'jabber4r', '> 0.1'
+  #  gem.add_development_dependency 'rspec', '> 1.2.3'
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+RSpec::Core::RakeTask.new(:rcov) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "ssh_guard #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/autotest/discover.rb

@@ -0,0 +1,2 @@
+Autotest.add_discovery { "rspec2" }
+

data/bin/ssh_guard

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require "ssh_guard"
+
+SshGuard::Core.new.start

data/lib/ssh_guard.rb

@@ -0,0 +1,54 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), 'ssh_guard'))
+require "logger"
+require "database"
+require "firewall_adapters"
+module SshGuard
+  class Core
+    attr_reader :database
+    attr_reader :firewall
+    class Parser
+      def parse_line(line)
+        if line =~ /Did not receive identification string/ || line =~ /invalid user/i || line =~ /authentication error/
+          ip_address = line.match(/\d+\.\d+.\d+.\d+/).to_s
+          timestamp = Time.parse(line.match(/(^.+) mini/)[1])
+          {:ip_address => ip_address, :timestamp => timestamp}
+        end
+      end
+    end
+
+    def initialize
+      unless i_am_root?
+        raise "ssh_guard should be started as root!!!"
+      end
+      @database = Database.new
+      @parser   = Parser.new
+      @firewall = FirewallAdapters::IPFWAdapter.new
+      @log_file = "/var/log/secure.log"
+    end
+
+    def <<(line)
+      if entry = @parser.parse_line(line)
+        if database.should_block? entry[:ip_address]
+          firewall.block_host entry[:ip_address] unless firewall.blocked?(entry[:ip_address])
+        else
+          database.add_entry(entry) unless firewall.blocked?(entry[:ip_address])
+        end
+      end
+    end
+    
+    def start
+      IO.popen("tail -f #{@log_file}") do |f|
+        while line = f.gets
+          self << line if line =~ /sshd/
+        end
+      end
+    end
+    
+    def self.i_am_root?
+      `whoami` =~ /^root$/
+    end
+    def i_am_root?
+      self.class.i_am_root?
+    end
+  end
+end

data/lib/ssh_guard/database.rb

@@ -0,0 +1,25 @@
+require "rubygems"
+require "sequel"
+module SshGuard
+  class Database
+    attr_reader :db
+
+    def initialize()
+      @db = Sequel.sqlite
+      @db.create_table :entries do 
+        primary_key :id
+        String :ip_address
+        Time :timestamp
+      end
+    end
+  
+    def add_entry(entry={})
+      db[:entries].insert(entry) unless entry.empty?
+    end
+
+    def should_block?(ip_address)
+      count = @db[:entries].where({:ip_address => ip_address}).count 
+      count > 10
+    end
+  end  
+end

data/lib/ssh_guard/firewall_adapters.rb

@@ -0,0 +1,19 @@
+module SshGuard
+  module FirewallAdapters
+    class IPFWAdapter
+      def initialize
+        @logger    = Logger.new(STDOUT)
+      end
+      def block_host(host)
+        unless blocked?(host)
+          `ipfw add deny tcp from #{host} to me ssh`
+          @logger.warn("Blocking host #{host}!")
+        end
+      end
+      
+      def blocked?(host)
+        `ipfw list | grep "deny tcp from #{host} to me dst-port 22"` =~ /deny tcp from #{host} to me dst-port 22$/ ? true : false
+      end
+    end
+  end
+end

data/spec/database_spec.rb

@@ -0,0 +1,20 @@
+require "spec_helper"
+
+describe SshGuard::Database do
+  it "should connect to an in-memory database" do
+    Sequel.should_receive(:sqlite).and_return(m=mock())
+    m.should_receive(:create_table)
+    @db = SshGuard::Database.new
+  end
+  
+  it "should block the host if failed more than 10 times" do
+    @db = SshGuard::Database.new
+    @db.db.stub_chain(:[], :where, :count).and_return(11)
+    @db.should_block?("192.168.1.2").should be_true
+  end
+  it "should not block the host if failed less than 10 times" do
+    @db = SshGuard::Database.new
+    @db.db.stub_chain(:[], :where, :count).and_return(9)
+    @db.should_block?("192.168.1.2").should be_false
+  end  
+end

data/spec/ipfw_adapter_spec.rb

@@ -0,0 +1,19 @@
+require "spec_helper"
+
+describe SshGuard::FirewallAdapters::IPFWAdapter do
+  before(:each) do
+    @firewall = SshGuard::FirewallAdapters::IPFWAdapter.new
+  end
+  it "should call ipfw" do
+    @firewall.stub(:blocked?).and_return(false)
+    @firewall.should_receive(:`).with("ipfw add deny tcp from 192.168.1.1 to me ssh")
+    @firewall.block_host('192.168.1.1')
+  end
+  it "should not block a host when it is already blocked" do
+    msg = "Nov 24 21:15:53 mini sshd[55670]: reverse mapping checking getaddrinfo for client-200.106.67.47.speedy.net.pe [200.106.67.47] failed - POSSIBLE BREAK-IN ATTEMPT!"
+    @firewall.should_not_receive(:`).with("ipfw add deny tcp from 192.168.1.1 to me ssh")
+    @firewall.should_receive(:blocked?).and_return(true)
+    @firewall.block_host('192.168.1.1')
+  end
+  
+end

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'rspec'
+require 'ssh_guard'
+
+# Requires supporting files with custom matchers and macros, etc,
+# in ./support/ and its subdirectories.
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |config|
+  
+end

data/spec/ssh_guard_spec.rb

@@ -0,0 +1,54 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe SshGuard::Core do
+  before(:each) do 
+    SshGuard::Core.stub(:i_am_root?).and_return(:true)
+    @guard = SshGuard::Core.new
+    @guard.firewall.stub(:blocked?)
+  end
+
+  it "parses an input line" do
+    lambda { @guard << "input" }.should_not raise_error
+  end
+    
+  it "should ignore other input" do
+    @guard.database.should_not_receive(:add_entry)
+    @guard << "other input"
+  end
+  
+  it "should tell the firewall about host to block" do
+    @guard.database.stub(:should_block?).and_return(true)
+    @guard.stub(:firewall).and_return(m=mock())
+    m.stub(:blocked?).and_return(false)
+    m.should_receive(:block_host)
+    msg = "Nov 24 17:03:55 mini sshd[47367]: Invalid user staff from 221.13.5.92"
+    @guard << msg
+  end
+  
+  describe "log messages" do
+    it "should add entry for failed authentication" do
+      msg = "Nov 24 21:15:55 mini sshd[55670]: error: PAM: authentication error for root from 200.106.67.47 via 192.168.1.2"
+      @guard.database.should_receive(:add_entry).with({:timestamp => Time.parse("Nov 24 21:15:55"), :ip_address => "200.106.67.47"})
+      @guard << msg
+    end
+    
+    it "should add entry for invalid user" do
+      msg = "Nov 24 17:03:55 mini sshd[47367]: Invalid user staff from 221.13.5.92"
+      @guard.database.should_receive(:add_entry).with({:timestamp => Time.parse("Nov 24 17:03:55"), :ip_address => "221.13.5.92"})
+      @guard << msg
+    end
+    
+    it "should add entry for no identification string" do
+      msg = "Nov 24 20:33:23 mini sshd[54157]: Did not receive identification string from 85.172.214.7"
+      @guard.database.should_receive(:add_entry).with({:timestamp => Time.parse("Nov 24 20:33:23"), :ip_address => "85.172.214.7"})
+      @guard << msg
+    end
+  end
+  
+  describe "on osx" do
+    it "should tail /var/log/secure.log" do
+      IO.should_receive(:popen).with("tail -f /var/log/secure.log")
+      @guard.start
+    end
+  end
+end

metadata

@@ -0,0 +1,176 @@
+--- !ruby/object:Gem::Specification 
+name: ssh_guard
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Jelle Helsen
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-11-30 00:00:00 +01:00
+default_executable: ssh_guard
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  name: sequel
+  prerelease: false
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  name: sqlite3-ruby
+  prerelease: false
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 2
+        - 1
+        - 0
+        version: 2.1.0
+  type: :development
+  name: rspec
+  prerelease: false
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 23
+        segments: 
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  type: :development
+  name: bundler
+  prerelease: false
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 1
+        segments: 
+        - 1
+        - 5
+        - 1
+        version: 1.5.1
+  type: :development
+  name: jeweler
+  prerelease: false
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  name: rcov
+  prerelease: false
+  version_requirements: *id006
+description: It protects your server from ssh password guessing bots.
+email: jelle.helsen@hcode.be
+executables: 
+- ssh_guard
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE.txt
+- README.rdoc
+files: 
+- .document
+- .rspec
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- VERSION
+- autotest/discover.rb
+- bin/ssh_guard
+- lib/ssh_guard.rb
+- lib/ssh_guard/database.rb
+- lib/ssh_guard/firewall_adapters.rb
+- spec/database_spec.rb
+- spec/ipfw_adapter_spec.rb
+- spec/spec_helper.rb
+- spec/ssh_guard_spec.rb
+has_rdoc: true
+homepage: http://github.com/jellehelsen/ssh_guard
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: guardian angel for ssh
+test_files: 
+- spec/database_spec.rb
+- spec/ipfw_adapter_spec.rb
+- spec/spec_helper.rb
+- spec/ssh_guard_spec.rb