Full Disclosure mailing list archives
FW: SSH Bruteforce blocking script
From: "Michael L Benjamin" <mike.benjamin () clarinet com au>
Date: Mon, 5 Sep 2005 12:24:19 +0800
-----Original Message----- From: francisco [mailto:frisco () blackant net] Sent: Sunday, September 04, 2005 01:49 AM To: Michael L Benjamin Subject: RE: [Full-disclosure] SSH Bruteforce blocking script On Fri, 2 Sep 2005, Michael L Benjamin wrote:
It's an idea. Involves calling another process though. I think the shell has enough tools to adequately create a secure temp file if I go about it in the right way. :-)
That's a silly argument since your script already calls other proceses that you don't need to, and your mktemp substitute involves calling 3 other processes instead of 1 (i think you might also need to -f too in case someone races you to a symlink or fifo). mktemp is designed to make secure temporary files; it's the right tool for the job. Here are a few cleanups of your script:
tail -10000 ${LOG_FILE} | grep "Failed password for illegal user" | awk -F"from" {'print $2'} | awk {'print $1'} | uniq > ${TMP_FILE}
Whenever you see an awk following a grep, chances are the grep isn't necessary: tail -10000 ${LOG_FILE} | awk -F"from" /Failed password for illegal user/{'print $2'} | awk {'print $1'}| uniq > ${TMP_FILE} The two awk's could probably be combined as well, but that's beyond my time limits.
GUESS_COUNT=$(grep "from ${INBOUND_IP}" /var/log/secure | grep "Failed
password for" | wc -l | awk {'print $1'})
The last awk would only be necessary if wc were given a filename. As is, the filename is blank and that awk can be removed: GUESS_COUNT=$(grep "from ${INBOUND_IP}" /var/log/secure | grep "Failed password for" | wc -l) Usually two greps in a row aren't necessary either. The regex could be written a number of ways, here's one: GUESS_COUNT=$(grep 'Failed password for .*'"from ${INBOUND_IP}" /var/log/secure | wc -l) I think you want to pad that ${INBOUND_IP} with a space at the end too, so that someone attacking from 10.0.0.1 doesn't affect everyone else in 10.0.0.1*. Personally, i have a couple OpenBSD firewalls protecting most of my stuff, and use pf and max-src-conn-rate to limit the number of connections per time period, similar to iptables hashlimit. The code above was tested on FC3 so there may be some incompatibilities with RHEL3 - i'm not really familiar with RHEL anymore. Also, i just woke up and my eyes are still blurry. Good luck, -f http://www.blackant.net/ ------------------------------------------------------------------------ --- Thanks for all the suggestions. I'll see what I can do to tighten the code up. You can see I didn't spend too much time trying to get the regex in there, I will do that at some point. FC3 should be totally portable to RHEL3/4 from a simple scripting perspective like this. RHEL3 Runs @(#)PD KSH v5.2.14 99/07/13.2 (if you are at the latest update level) and I expect FC3 is not far behind from a version perspective, so effectively there should be no difference between platforms in this situation. Cheers, Mike. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: SSH Bruteforce blocking script, (continued)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- Re: SSH Bruteforce blocking script Christoph Moench-Tegeder (Sep 02)
- Re: SSH Bruteforce blocking script Pedro Hugo (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- Re: SSH Bruteforce blocking script miah (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- Re: SSH Bruteforce blocking script miah (Sep 06)
- RE: SSH Bruteforce blocking script Ron DuFresne (Sep 06)
- FW: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- FW: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
- Re: FW: SSH Bruteforce blocking script Valdis . Kletnieks (Sep 04)