Automatically blacklist SSH hackers

The sshblack Whitelist -- Understanding and Configuring the Whitelist with REGEX

I made some assumptions that modifying the whitelist would be trivial. For those of you that don't have to deal with Regular Expressions (REGEX) on a daily basis, count your blessings! Actually REGEX is very powerful and is, arguably, the backbone of Perl. Let's take a look at our whitelist string from the default code. Remember, any address that shows up in this whitelist will effectively be ignored by the script.

my($LOCALNET) = '^(?:127\.0\.0\.1|192\.168\.0)';

What that tells us is that we are going to trust all those IP addresses that come from 127.0.0.1 and 192.168.0. We know 127.0.0.1 is the address reserved for localhost. That is, this address is ourself. But wait. 192.168.0 is only three numbers! IPv4 requires four numbers/octets/tuples.
True, but when we parse, we can use a subset of that for our filter. So all we are saying is that we are going to trust anything that has AT LEAST those three numbers in the IP address. So 192.168.0.1 is fine, 192.168.0.254 is fine and so is everything in between. It's a wildcard for the 192.168.0.0/24 network.

What about that vertical bar, the pipe character? The pipe | is treated as an "or" in this REGEX. That's pretty much all you need to know about it. You can use as many of these as you need.

The backslashes are there to tell Perl that the dots are literal dots. Dots normally mean something else in Perl and in REGEX generally so, although it is visually confusing, you need the backslashes.

So lets do an example with some other (fictional) addresses.

Say the machine I'm trying to protect is at 220.50.50.1
Let's say my machine sits on a Class C network with other machines that I trust implicitly. That network is going to be 220.50.50.0/24 or 220.50.50.0/255.255.255.0 or however you want to note it. But remember, the SSHBlack script doesn't think of these addresses as IP addresses, it is looking at them as a string, as text. So we only need the first three numbers -- we are ignoring or wild-carding the last number.
So this REGEX is going to become 220\.50\.50

Let's also say that we want to make sure we don't blacklist ourselves as we log in from our office address which resides on the other side of town on a fixed IP of 66.249.64.68 but I don't trust anyone around that address so I'm not going to wildcard anything there.
This REGEX becomes 66\.249\.64\.68

Now let's put all this together for our whitelist ($LOCALNET) definition.

my($LOCALNET) = '^(?:127\.0\.0\.1|220\.50\.50|66\.249\.64\.68)';

Note I've used the pipe character (|) between all my entries and I didn't forget that pesky semi-colon at the end of the line.

Hope this helps some folks. The whitelisting function is pretty important.

shoulder
Copyright 2006 Pettingers.org

Vectors at

pettingers.org