[WBEL-users] Daily SSH attempted logins
Andy Rabagliati
andyr at wizzy.com
Sun Mar 6 05:57:45 CST 2005
On Sun, 06 Mar 2005, bishop wrote:
> Jesse wrote:
>
> >sshd*\ authentication\ failure*) echo $LINE | sed -ne "/\([^ ]\{1,\}
> >\)\{4\}sshd[^ ]\{1,\} authentication failure/s:.*rhost=\([^ ]\{1,\}\)\(
> >.*\)\{0,\}:echo iptables -A INPUT -p tcp -i eth0 -s \1 --dport 22 --syn -j
> >DROP :p"| sh ;; esac ; done
>
> I thought this may be funny enough to spam you all with it. If not,
> flame me privately.
echo Lets take a first pass, shall we ? | sed -e s/pass/flame/
# processing lines like this :
# Mar 6 01:42:50 wizzy sshd(pam_unix)[11806]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=205.150.5.36
tail -10000f /var/log/messages | \
while read LINE
do case $LINE in
(*\ sshd*\ authentication\ failure*)
echo $LINE | \
sed -ne "/\([^ ]\{1,\} \)\{4\}sshd[^ ]\{1,\} authentication failure/s:.*rhost=\([^ ]\{1,\}\)\( .*\)\{0,\}:\
echo iptables -A INPUT -p tcp -i eth0 -s \1 --dport 22 --syn -j DROP :p"\
| sh ;; # feed to sh
esac
done
Have to take that sed apart :-
"/\([^ ]\{1,\} \)
Look for one word, no spaces, assign to 1
\{4\}
Four of those, please
sshd[^ ]\{1,\} authentication failure/
End of search expression
s:.*rhost=\([^ ]\{1,\}\)\( .*\)\{0,\}:
Pull out the IP address
echo iptables -A INPUT -p tcp -i eth0 -s \1 --dport 22 --syn -j DROP :p
Stick it in where it says \1
Sure I got some of that wrong, but sounds like you should have done it in perl !
Cheers, Andy!
More information about the Whitebox-users
mailing list