moved wiki here
This commit is contained in:
43
content/Unix/SSH-Filter.md
Normal file
43
content/Unix/SSH-Filter.md
Normal file
@ -0,0 +1,43 @@
|
||||
To filter incoming SSH-Connections by Country/Login do:
|
||||
|
||||
Create a filter-binary (i.e. `/usr/local/bin/sshfilter.sh`) with contents like:
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
|
||||
# UPPERCASE space-separated country codes to ACCEPT
|
||||
ALLOW_COUNTRIES="DE NL"
|
||||
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "Usage: `basename $0` <ip> <user>" 1>&2
|
||||
exit 0 # return true in case of config issue
|
||||
fi
|
||||
|
||||
COUNTRY=`/usr/bin/geoiplookup $1 | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1`
|
||||
|
||||
if [[ $COUNTRY == "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]]; then
|
||||
RESPONSE="ALLOW"
|
||||
else
|
||||
RESPONSE="DENY"
|
||||
fi
|
||||
|
||||
#root-user is denied directly - no matter from where
|
||||
#can be used to also auto-ban ip in $1
|
||||
if [[ $2 == "root" ]]; then
|
||||
RESPONSE="DENY"
|
||||
fi
|
||||
|
||||
#allow few users from everywhere
|
||||
if [[ $2 == "juser" ]]; then
|
||||
RESPONSE="ALLOW"
|
||||
fi
|
||||
|
||||
if [[ $RESPONSE == "ALLOW" ]]; then
|
||||
exit 0
|
||||
else
|
||||
logger "$RESPONSE sshd connection for $2 from $1 ($COUNTRY)"
|
||||
exit 1
|
||||
fi
|
||||
```
|
||||
|
||||
Installation of geoiplookup from [ubuntuwiki](https://wiki.ubuntuusers.de/geoiplookup/)
|
||||
Reference in New Issue
Block a user