Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshtrom <shtrom@1991c358-8f32-0410-a49a-990740bdf4c2>2009-08-14 08:43:13 +0000
committershtrom <shtrom@1991c358-8f32-0410-a49a-990740bdf4c2>2009-08-14 08:43:13 +0000
commit43d3b47b28d02c1640e87966b5cff21b2616eb5e (patch)
tree3a5a9c007d58ee63248e5c6f0ddb2c915536fcc3 /openbsd
parent188d25570bc6502b4db41a11be231059594aa0f9 (diff)
[OpenBSD scripts] Support for whitelist and direct email sending in denyhost.sh.
git-svn-id: svn+ssh://scm.narf.ssji.net/svn/shtrom/scripts@622 1991c358-8f32-0410-a49a-990740bdf4c2
Diffstat (limited to 'openbsd')
-rwxr-xr-xopenbsd/denyhost.sh49
1 files changed, 45 insertions, 4 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh
index 3f5cd83..8103d7c 100755
--- a/openbsd/denyhost.sh
+++ b/openbsd/denyhost.sh
@@ -2,7 +2,16 @@
# $Id$
# Script to trawl logs for nastiness and log bad IP addresses
# From http://netnix.blogspot.com/2005/06/openbsd-ssh-protection.html
-# Logging features by Olivier Mehani <shtrom-openbsd@ssji.net>
+# Warning and whitelist features by Olivier Mehani <shtrom-openbsd@ssji.net>
+#
+# Minimal pf.conf file:
+# table <whitelist> persist
+# table <kiddies> persist
+# pass in quick on $ext_if from <whitelist>
+# block in quick on $ext_if from <kiddies>
+#
+# Remember to manually populate your <whitelist> table:
+# # pfctl -vT whitelist -t add ADDRESS
#
PATH=/usr/local/bin:$PATH
AUTHLOG=/var/log/authlog
@@ -51,8 +60,39 @@ for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do
grep $IP $AUTHLOG | grep -v "Received disconnect" > $LOGIN_FILE
LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $LOGIN_FILE | \
sort | uniq | gsed ':a N;s/\n/, /g; ta'`
- (
- echo "New offending IP: $IP"
+ if [ ! -z "$ABUSE" ]; then
+ (
+cat << EOF
+Greetings,
+
+[ This is an automated email, please report any problem to
+<shtrom-admin@ssji.net> ]
+
+Unauthorized login attempts have recently been observed from an IP address
+in one of your administrative ranges ($IP), as identified by WHOIS
+information.
+
+Please find below reports from the blocking system, including logs of
+connection attempts at the bottom.
+
+Could you please take this machine down for cleanup, or forward this
+message to its administrator in charge.
+
+Offending IP: $IP
+Hostnames: $HOSTS
+Abuse addresses: $ABUSE
+Usernames tried: $LOGINS
+
+Host and WHOIS information:
+EOF
+ cat $HOST_FILE
+ cat $WHOIS_FILE
+ echo "Incriminating logs:"
+ cat $LOGIN_FILE
+ ) | mail -c $DEST_ADDR -s "Host $IP is compromized" $ABUSE
+ else
+ (
+ echo "Offending IP: $IP"
echo "Hostnames: $HOSTS"
echo "Abuse addresses: $ABUSE"
echo "Usernames tried: $LOGINS"
@@ -62,7 +102,8 @@ for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do
cat $WHOIS_FILE
echo "Incriminating logs:"
cat $LOGIN_FILE
- ) | mail -s "Host $IP is compromized" $DEST_ADDR
+ ) | mail -s "Host $IP (admin unknown) is compromized" $DEST_ADDR
+ fi
rm -f $HOST_FILE $WHOIS_FILE $LOGIN_FILE
done