Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlivier Mehani <shtrom@ssji.net>2016-08-16 09:15:40 +0200
committerOlivier Mehani <shtrom@ssji.net>2016-08-16 09:15:40 +0200
commitb0dba30103f36b1eae5a83784e3dc61ce387dae2 (patch)
tree7b8b31706e31b9f35e6396be7c7830cb34c3411e
parentf640d669d1ce644d7f5085b5fb8a1f71eb32c797 (diff)
[denyhost] Block obvious HTTP attacks, and simplify SSH logic
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
-rwxr-xr-xopenbsd/denyhost.sh36
1 files changed, 14 insertions, 22 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh
index bea320d..f95f119 100755
--- a/openbsd/denyhost.sh
+++ b/openbsd/denyhost.sh
@@ -45,7 +45,7 @@ function process_ip
WHOIS_FILE=`mktemp ${TMP_DIR}/whois.XXXXXX`
whois $IP > $WHOIS_FILE
ABUSE=`extract_email $WHOIS_FILE`
-
+
LOGIN_FILE=`mktemp ${TMP_DIR}/logins.list.XXXXXX`
grep $IP $AUTHLOG | grep -v "Received disconnect" > $LOGIN_FILE
LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $LOGIN_FILE | \
@@ -79,7 +79,7 @@ Offending IP: $IP
Hostnames: $HOSTS
Abuse addresses: $ABUSE
Usernames tried: $LOGINS
-
+
Host and WHOIS information:
EOF
cat $HOST_FILE
@@ -123,35 +123,27 @@ function extract_email
sort | uniq | gsed ':a N;s/\n/, /g; ta'
}
-SSH_INVALID_USERS=`sed -n "s/.*Invalid user .* from //p" $AUTHLOG | sort -u`
-for iu in $SSH_INVALID_USERS; do
- num=`grep $iu $AUTHLOG | grep 'Invalid user' | wc -l`
- if [ $num -gt $NUM_TRIES ]; then
- echo "$iu"
- fi
-done > ${TMP_DIR}/invalid_users.list
+echo -n > {$NEW_BLOCKERS_FILE}
-SSH_FAILED_PASSWORD=`grep 'Failed password for' $AUTHLOG | grep -v 'invalid user' | awk '{ print $11 }' | sort -u`
-for fp in $SSH_FAILED_PASSWORD; do
- num=`grep $fp $AUTHLOG | grep 'Failed password for' | grep -v 'invalid user' | wc -l`
- if [ $num -gt $NUM_TRIES ]; then
- echo "$fp"
- fi
-done > ${TMP_DIR}/failed_passwords.list
+# HTTP exploiters
+grep etc.passwd /srv/www/logs/access_log | cut -d" " -f 2 | uniq >> ${NEW_BLOCKERS_FILE}
-sort -u ${TMP_DIR}/invalid_users.list ${TMP_DIR}/failed_passwords.list -o $NEW_BLOCKERS_FILE
+# SSH exploiters
+sed -En "s/.*(Invalid user|Failed password).*from ([0-9.]+).*/\2/p" ${AUTHLOG} | \
+ sort | uniq -c | \
+ sed "/^ *[1-$NUM_TRIES))] */d;s/.* //" \
+ >> ${NEW_BLOCKERS_FILE}
pfctl -t kiddies -Tshow | sed "s/ //g" | sort -n > ${TMP_DIR}/blockers.list
for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do
process_ip $IP
-done
+done
# Flush entries older than a week
-pfctl -t kiddies -T expire 25200 1>/dev/null 2>&1
+pfctl -t kiddies -T expire 25200 1>/dev/null 2>&1
# Add new entries
-mv $NEW_BLOCKERS_FILE ${TMP_DIR}/blockers.list
-pfctl -t kiddies -Tadd -f ${TMP_DIR}/blockers.list 1>/dev/null 2>&1
-mv ${TMP_DIR}/blockers.list /etc/blockers.list
+pfctl -t kiddies -Tadd -f ${NEW_BLOCKERS_FILE} 1>/dev/null 2>&1
+mv ${NEW_BLOCKERS_FILE} /etc/blockers.list
rm $PIDFILE