Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshtrom <shtrom@1991c358-8f32-0410-a49a-990740bdf4c2>2010-06-27 09:15:49 +0000
committershtrom <shtrom@1991c358-8f32-0410-a49a-990740bdf4c2>2010-06-27 09:15:49 +0000
commit6b66bdbcc1c2f178e1bb3a9ec0729c37979cd9b2 (patch)
tree28defb6077ab8aaa081cdc14f86b2b6fcde745c6 /openbsd
parentb243b4a37a499e7fd90e117ff165f28fc1946ada (diff)
[OpenBSD-DenyHosts] Reverted to sh and use some functions.
git-svn-id: svn+ssh://scm.narf.ssji.net/svn/shtrom/scripts@808 1991c358-8f32-0410-a49a-990740bdf4c2
Diffstat (limited to 'openbsd')
-rwxr-xr-xopenbsd/denyhost.sh73
1 files changed, 43 insertions, 30 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh
index 8103d7c..09d1586 100755
--- a/openbsd/denyhost.sh
+++ b/openbsd/denyhost.sh
@@ -1,4 +1,4 @@
-#!/bin/ksh
+#!/bin/sh
# $Id$
# Script to trawl logs for nastiness and log bad IP addresses
# From http://netnix.blogspot.com/2005/06/openbsd-ssh-protection.html
@@ -20,26 +20,11 @@ TMP_DIR=/var/tmp
NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/blockers.list.XXXXXX`
DEST_ADDR=root@distant-sun.narf.ssji.net
-SSH_INVALID_USERS=`sed -n "s/.*Invalid user .* from //p" $AUTHLOG | sort -u`
-for iu in $SSH_INVALID_USERS; do
- num=`grep $iu $AUTHLOG | grep 'Invalid user' | wc -l`
- if [ $num -gt $NUM_TRIES ]; then
- echo "$iu"
- fi
-done > ${TMP_DIR}/invalid_users.list
-
-SSH_FAILED_PASSWORD=`grep 'Failed password for' $AUTHLOG | grep -v 'invalid user' | awk '{ print $11 }' | sort -u`
-for fp in $SSH_FAILED_PASSWORD; do
- num=`grep $fp $AUTHLOG | grep 'Failed password for' | grep -v 'invalid user' | wc -l`
- if [ $num -gt $NUM_TRIES ]; then
- echo "$fp"
- fi
-done > ${TMP_DIR}/failed_passwords.list
-
-sort -u ${TMP_DIR}/invalid_users.list ${TMP_DIR}/failed_passwords.list -o $NEW_BLOCKERS_FILE
+#MAIL=mail
+MAIL=cat
-pfctl -t kiddies -vTshow | grep -v Cleared | sed "s/ //g" | sort -n > ${TMP_DIR}/blockers.list
-for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do
+function process_ip
+{
HOST_FILE=`mktemp ${TMP_DIR}/host.XXXXXX`
host $IP > $HOST_FILE
HOSTS=`gsed -n "s/.*\(:\|domain name pointer\) \(.\+\)/\2/p" $HOST_FILE | \
@@ -47,14 +32,7 @@ for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do
WHOIS_FILE=`mktemp ${TMP_DIR}/whois.XXXXXX`
whois $IP > $WHOIS_FILE
- ABUSE=`grep -v changed $WHOIS_FILE | gsed -n "s/.*[^-+\._A-Za-z0-9]\([-+\._A-Za-z0-9]\+@\([-A-Za-z0-9]\+\.\)\+[A-Za-z]\+\).*/\1/p" | \
- gsed "/whois-contact@lacnic.net/d; \
- /mail-abuse@cert.br/d; \
- /cert@cert.br/d; \
- /search-apnic-not-arin@apnic.net/d; \
- /hostmaster@nic.ad.jp/d; \
- /search-ripe-ncc-not-arin@ripe.net/d" | \
- sort | uniq | gsed ':a N;s/\n/, /g; ta'`
+ ABUSE=`extract_email $WHOIS_FILE`
LOGIN_FILE=`mktemp ${TMP_DIR}/logins.list.XXXXXX`
grep $IP $AUTHLOG | grep -v "Received disconnect" > $LOGIN_FILE
@@ -89,7 +67,7 @@ EOF
cat $WHOIS_FILE
echo "Incriminating logs:"
cat $LOGIN_FILE
- ) | mail -c $DEST_ADDR -s "Host $IP is compromized" $ABUSE
+ ) | $MAIL -c $DEST_ADDR -s "Host $IP is compromized" $ABUSE
else
(
echo "Offending IP: $IP"
@@ -102,9 +80,44 @@ EOF
cat $WHOIS_FILE
echo "Incriminating logs:"
cat $LOGIN_FILE
- ) | mail -s "Host $IP (admin unknown) is compromized" $DEST_ADDR
+ ) | $MAIL -s "Host $IP (admin unknown) is compromized" $DEST_ADDR
fi
rm -f $HOST_FILE $WHOIS_FILE $LOGIN_FILE
+}
+
+function extract_email()
+{
+ grep -v changed $1 | gsed -n "s/.*[^-+\._A-Za-z0-9]\([-+\._A-Za-z0-9]\+@\([-A-Za-z0-9]\+\.\)\+[A-Za-z]\+\).*/\1/p" | \
+ gsed "/whois-contact@lacnic.net/d; \
+ /mail-abuse@cert.br/d; \
+ /cert@cert.br/d; \
+ /search-apnic-not-arin@apnic.net/d; \
+ /hostmaster@nic.ad.jp/d; \
+ /search-ripe-ncc-not-arin@ripe.net/d" | \
+ sort | uniq | gsed ':a N;s/\n/, /g; ta'
+}
+
+SSH_INVALID_USERS=`sed -n "s/.*Invalid user .* from //p" $AUTHLOG | sort -u`
+for iu in $SSH_INVALID_USERS; do
+ num=`grep $iu $AUTHLOG | grep 'Invalid user' | wc -l`
+ if [ $num -gt $NUM_TRIES ]; then
+ echo "$iu"
+ fi
+done > ${TMP_DIR}/invalid_users.list
+
+SSH_FAILED_PASSWORD=`grep 'Failed password for' $AUTHLOG | grep -v 'invalid user' | awk '{ print $11 }' | sort -u`
+for fp in $SSH_FAILED_PASSWORD; do
+ num=`grep $fp $AUTHLOG | grep 'Failed password for' | grep -v 'invalid user' | wc -l`
+ if [ $num -gt $NUM_TRIES ]; then
+ echo "$fp"
+ fi
+done > ${TMP_DIR}/failed_passwords.list
+
+sort -u ${TMP_DIR}/invalid_users.list ${TMP_DIR}/failed_passwords.list -o $NEW_BLOCKERS_FILE
+
+pfctl -t kiddies -vTshow | grep -v Cleared | sed "s/ //g" | sort -n > ${TMP_DIR}/blockers.list
+for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do
+ process_ip $IP
done
# Flush entries older than a week