Ban'em for OpenSSH

IP Banning Enhancement for OpenSSH 



If you have an Internet-facing server running SSH you've probably noticed a lot of failed login attempts. These are from automated bots, probably running on compromised machines, that scan for computers running an SSH server in an attempt to find more machines to break into and add to the botnet.

Ban'em is a modified version of the OpenSSH server daemon (sshd). Support for three new server options has been added. Together, these three new options allow you to have the OpenSSH server automatically ban IP addresses that engage in these random cracking attacks against your server.

The three new options are:
  • BanAfterAuthFailures - Set to the number of consecutive authentication failures that can trigger a ban. Default value is zero (banning disabled).
  • BanWindow - Set to the amount of time (in seconds) during which the above number of consecutive authentication failures will result in a ban. For example, if BanAfterAuthFailures is 10 and BanWindow is 3600 (one hour), then 10 consecutive failed authentications within any one hour period will result in a ban. Default value is 3600. Zero means indefinite.
  • BanTime - Set to the amount of time for which banned hosts will remain banned. Once a host is banned, the SSH server will immediately close the connection if the banned host attempts a connection. For example, if BanTime is set to 3600 (one hour), then a host will remain banned until it refrains from attempting any further connections for at least one hour. Default value is 3600. Zero means indefinite.

Ban'em 0.5 is currently available on the following platforms (for OpenSSH 5.1p1):

A utility, banls, is also available for getting information about the Ban'em host database.

This software is provided "AS IS" without warranty of any kind.

Prebuilt Intel binaries for OS X and Linux may be available soon if there's demand for them (let me know: gmail[dot]com, dmoulding[at]).

Ultimately the goal is to get this enhancement added to OpenSSH proper. But I'm unsure whether the OpenSSH developers will be interested in such a feature at this time.

The above binaries are copyright their respective copyright owners and are redistributed here under license.

Recent Changes:

The Ban'em database is now stored in /var/local/banem instead of /var/banem, as recommended by the Filesystem Hierarchy Standard

As of version 0.3, long bans (more than 24 hours) can now be configured. Even permanent bans may be done by setting BanTime to zero. Very long bans (months to years) may be useful for thwarting a new type of attack which has just recently emerged that uses hundreds of bots to converge upon a single SSH server in a coordinated, distributed brute-force attack. Short bans targeted at individual hosts within such a botnet are ineffective, but long bans have proven useful.

Known Bugs:

  • Ban'em does not delete old files that it creates in /var/banem. They must be deleted manually after the files are older than the configured BanTime. Or you can keep them for later browsing to see which hosts have been banned in the past (maybe this is a feature?)

Ban, block, reject, deny. Whatever you want to call it. Stop the annoying bots scanning your OpenSSH servers and filling up your log files with repeated failed authentication attempts.