diff options
| author | Olivier Mehani <shtrom@ssji.net> | 2016-08-16 09:15:40 +0200 |
|---|---|---|
| committer | Olivier Mehani <shtrom@ssji.net> | 2016-08-16 09:15:40 +0200 |
| commit | b0dba30103f36b1eae5a83784e3dc61ce387dae2 (patch) | |
| tree | 7b8b31706e31b9f35e6396be7c7830cb34c3411e /openbsd | |
| parent | f640d669d1ce644d7f5085b5fb8a1f71eb32c797 (diff) | |
[denyhost] Block obvious HTTP attacks, and simplify SSH logic
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
Diffstat (limited to 'openbsd')
| -rwxr-xr-x | openbsd/denyhost.sh | 36 |
1 files changed, 14 insertions, 22 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh index bea320d..f95f119 100755 --- a/openbsd/denyhost.sh +++ b/openbsd/denyhost.sh @@ -45,7 +45,7 @@ function process_ip WHOIS_FILE=`mktemp ${TMP_DIR}/whois.XXXXXX` whois $IP > $WHOIS_FILE ABUSE=`extract_email $WHOIS_FILE` - + LOGIN_FILE=`mktemp ${TMP_DIR}/logins.list.XXXXXX` grep $IP $AUTHLOG | grep -v "Received disconnect" > $LOGIN_FILE LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $LOGIN_FILE | \ @@ -79,7 +79,7 @@ Offending IP: $IP Hostnames: $HOSTS Abuse addresses: $ABUSE Usernames tried: $LOGINS - + Host and WHOIS information: EOF cat $HOST_FILE @@ -123,35 +123,27 @@ function extract_email sort | uniq | gsed ':a N;s/\n/, /g; ta' } -SSH_INVALID_USERS=`sed -n "s/.*Invalid user .* from //p" $AUTHLOG | sort -u` -for iu in $SSH_INVALID_USERS; do - num=`grep $iu $AUTHLOG | grep 'Invalid user' | wc -l` - if [ $num -gt $NUM_TRIES ]; then - echo "$iu" - fi -done > ${TMP_DIR}/invalid_users.list +echo -n > {$NEW_BLOCKERS_FILE} -SSH_FAILED_PASSWORD=`grep 'Failed password for' $AUTHLOG | grep -v 'invalid user' | awk '{ print $11 }' | sort -u` -for fp in $SSH_FAILED_PASSWORD; do - num=`grep $fp $AUTHLOG | grep 'Failed password for' | grep -v 'invalid user' | wc -l` - if [ $num -gt $NUM_TRIES ]; then - echo "$fp" - fi -done > ${TMP_DIR}/failed_passwords.list +# HTTP exploiters +grep etc.passwd /srv/www/logs/access_log | cut -d" " -f 2 | uniq >> ${NEW_BLOCKERS_FILE} -sort -u ${TMP_DIR}/invalid_users.list ${TMP_DIR}/failed_passwords.list -o $NEW_BLOCKERS_FILE +# SSH exploiters +sed -En "s/.*(Invalid user|Failed password).*from ([0-9.]+).*/\2/p" ${AUTHLOG} | \ + sort | uniq -c | \ + sed "/^ *[1-$NUM_TRIES))] */d;s/.* //" \ + >> ${NEW_BLOCKERS_FILE} pfctl -t kiddies -Tshow | sed "s/ //g" | sort -n > ${TMP_DIR}/blockers.list for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do process_ip $IP -done +done # Flush entries older than a week -pfctl -t kiddies -T expire 25200 1>/dev/null 2>&1 +pfctl -t kiddies -T expire 25200 1>/dev/null 2>&1 # Add new entries -mv $NEW_BLOCKERS_FILE ${TMP_DIR}/blockers.list -pfctl -t kiddies -Tadd -f ${TMP_DIR}/blockers.list 1>/dev/null 2>&1 -mv ${TMP_DIR}/blockers.list /etc/blockers.list +pfctl -t kiddies -Tadd -f ${NEW_BLOCKERS_FILE} 1>/dev/null 2>&1 +mv ${NEW_BLOCKERS_FILE} /etc/blockers.list rm $PIDFILE |
