[WBEL-users] Daily SSH attempted logins
bishop
bishop at platypus.bc.ca
Sun Mar 6 04:23:21 CST 2005
Jesse wrote:
> On Sun, 6 Mar 2005, Sudev Barar wrote:
>
>> Can you share the script?
>
>
> The original version by Victor Danilchenko:
> http://www.linuxmafia.com/pub/linux/security/sshd_sentry/sshd_sentry
Monitoring every ten seconds, that's Crazy! :-)
Earlier this year I started poking with a CSH script that Jack-Benny
Persson maintains (http://bluedogsecurity.cyberinfo.se/ssh_block/) and
moved it to a bash script. There's more to do to improve it - start by
counting the redundant cats, for one thing - but it's mostly usable now
for similar behaviour. I have one that starts by init.d, too, around
here somewhere. (mail for an RPM)
But that's not where it stopped: A buddy of mine in Atlanta.ga.us was
mock-disappointed that it only blocked every ten seconds. I thought a
bit, drank a bit more than I thought, and came up with this monstrosity:
> tail -10000f /var/log/messages | while read LINE ; do case $LINE in (*\ sshd*\ authentication\ failure*) echo $LINE | sed -ne "/\([^ ]\{1,\} \)\{4\}sshd[^ ]\{1,\} authentication failure/s:.*rhost=\([^ ]\{1,\}\)\( .*\)\{0,\}:echo iptables -A INPUT -p tcp -i eth0 -s \1 --dport 22 --syn -j DROP :p"| sh ;; esac ; done
I thought this may be funny enough to spam you all with it. If not,
flame me privately. I'll archive the best and send them in. Wrap an
init.d around it, maybe toss some sort|uniq in there, and you may have
something usable, even. Now lamers have exactly one login session to
get it right!
No, really, look at Jack-Benny's script. It's nifty, and doesn't need
perl. Not saying that's better, but it doesn't need perl.
- bish
--
More information about the Whitebox-users
mailing list