Mac OS X Server's adaptive firewall (afctl) does a good job of catching brute-force login attacks on most services, but it doesn't catch PPTP attacks. The script below checks the system log for such attacks, and then uses afctl to block offending hosts for a week (you can, of course, change the parameters if you wish). I recommend using a cron job to run this script every 10-15 minutes.
Read on for the script…
#!/bin/sh<br />#<br /># pptp_attack_check.sh by Jon Gardner, [email protected]<br />#<br /># This script checks a logfile (usually the system log) for failed PPTP connections<br /># caused by dictionary or DOS attacks, and blocks the offending IPs accordingly.<br />#<br /># which logfile should we monitor?<br />LOG=/var/log/system.log<br /># where is the afctl blacklist file?<br />BL=/var/db/af/blacklist<br /># number of "hits" allowed before a host is blocked<br />MAXHITS=5<br /># <br />TMP=/tmp/pptp_attack$$<br />GREP=/usr/bin/grep<br />CHK=`ps ax | $GREP pptp_attack_check | $GREP -v grep | wc -l`<br />if [ $CHK -gt 2 ]<br />then<br /># already running.<br /> exit 0<br />fi<br />#<br />for PID in `$GREP pppd $LOG | $GREP 'incoming call' | cut -f2 -d'[' | cut -f1 -d']' | sort -u`<br />do<br /> # check for valid logins and common brute-force errors<br /> LI=`$GREP 'pppd' $LOG | $GREP $PID | $GREP 'CHAP peer authentication succeeded' | wc -l`<br /> PE=`$GREP 'pppd' $LOG | $GREP $PID | $GREP 'start_control_connection_request' | wc -l`<br /> if [ $LI = 0 -o $PE -gt 0 ]<br /> then<br /> IP=`$GREP 'pppd' $LOG | $GREP $PID | $GREP 'incoming call' | cut -f2 -d"'" | cut -f1 -d"'" | head -1`<br /> echo $IP >> $TMP<br /> fi<br />done<br />IPLIST=""<br />for IP in `sort -u $TMP`<br />do<br /> CNT=`$GREP $IP $TMP | wc -l`<br /> if [ $CNT -gt $MAXHITS ]<br /> then<br /> # make sure the host is not already blacklisted<br /> CHK1=`$GREP $IP $BL|wc -l`<br /> # make sure it's not just a Directory Services problem<br /> CHK2=`$GREP $IP $LOG|$GREP "(error = -6)"|wc -l`<br /> CHK3=`$GREP $IP $LOG|$GREP "Error: -6"|wc -l`<br /> if [ `/bin/expr $CHK1` = 0 -a `/bin/expr $CHK2` = 0 -a `/bin/expr $CHK3` = 0 ]<br /> then<br /> # use afctl to blacklist the host for one week<br /> /usr/libexec/afctl -a $IP -t 10080<br /> IPLIST="$IPLIST $IP"<br /> HUP=1<br /> fi<br /> fi<br />done<br />if [ -f $TMP ]<br />then<br /> rm $TMP<br />fi
Have tried it under OSXS 10.6, but I got the error sort: open failed: /tmp/pptp_attack37698: No such file or directory”. Don’t know if the script has an error or if don’t work under 10.6.