Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

FW: SSH Bruteforce blocking script

From: "Michael L Benjamin" <mike.benjamin () clarinet com au>
Date: Mon, 5 Sep 2005 12:24:19 +0800
 



-----Original Message-----
From: francisco [mailto:frisco () blackant net]
Sent: Sunday, September 04, 2005 01:49 AM
To: Michael L Benjamin
Subject: RE: [Full-disclosure] SSH Bruteforce blocking script

On Fri, 2 Sep 2005, Michael L Benjamin wrote:



It's an idea.

Involves calling another process though. I think the shell has enough 
tools to adequately create a secure temp file if I go about it in the 
right way. :-)


That's a silly argument since your script already calls other proceses
that you don't need to, and your mktemp substitute involves calling 3
other processes instead of 1 (i think you might also need to -f too in
case someone races you to a symlink or fifo).  mktemp is designed to
make secure temporary files; it's the right tool for the job.


Here are a few cleanups of your script:



tail -10000 ${LOG_FILE} | grep "Failed password for illegal user" | 
awk -F"from" {'print $2'} | awk {'print $1'} | uniq > ${TMP_FILE}


Whenever you see an awk following a grep, chances are the grep isn't
necessary:

tail -10000 ${LOG_FILE} |
awk -F"from" /Failed password for illegal user/{'print $2'} | awk
{'print $1'}| uniq > ${TMP_FILE}

The two awk's could probably be combined as well, but that's beyond my
time limits.



GUESS_COUNT=$(grep "from ${INBOUND_IP}" /var/log/secure | grep "Failed



password for" | wc -l | awk {'print $1'})


The last awk would only be necessary if wc were given a filename.  As
is, the filename is blank and that awk can be removed:

GUESS_COUNT=$(grep "from ${INBOUND_IP}" /var/log/secure | grep "Failed
password for" | wc -l)

Usually two greps in a row aren't necessary either.  The regex could be
written a number of ways, here's one:

GUESS_COUNT=$(grep 'Failed password for .*'"from ${INBOUND_IP}" 
/var/log/secure | wc -l)

I think you want to pad that ${INBOUND_IP} with a space at the end too,
so that someone attacking from 10.0.0.1 doesn't affect everyone else in
10.0.0.1*.


Personally, i have a couple OpenBSD firewalls protecting most of my
stuff, and use pf and max-src-conn-rate to limit the number of
connections per time period, similar to iptables hashlimit.


The code above was tested on FC3 so there may be some incompatibilities
with RHEL3 - i'm not really familiar with RHEL anymore.  Also, i just
woke up and my eyes are still blurry.

Good luck,

-f
http://www.blackant.net/



------------------------------------------------------------------------
---

Thanks for all the suggestions. I'll see what I can do to tighten the
code up. You can see I didn't spend too much time trying to get the
regex in there, I will do that at some point.

FC3 should be totally portable to RHEL3/4 from a simple scripting
perspective like this.

RHEL3 Runs @(#)PD KSH v5.2.14 99/07/13.2 (if you are at the latest
update level) and I expect FC3 is not far behind from a version
perspective, so effectively there should be no difference between
platforms in this situation.

Cheers, Mike.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: