Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshtrom <shtrom@1991c358-8f32-0410-a49a-990740bdf4c2>2009-03-16 12:07:45 +0000
committershtrom <shtrom@1991c358-8f32-0410-a49a-990740bdf4c2>2009-03-16 12:07:45 +0000
commiteca5c42ca11bd5a2ffd5e224dba05b2d5f0be3c0 (patch)
tree642cf76e5dfd078cbe404960938336023602b2ff /openbsd
parentf2083022dc9d1a769acd134253fb7769d208168a (diff)
[OpenBSD scripts] Imported modified DenyHosts scripts with logging features.
git-svn-id: svn+ssh://scm.narf.ssji.net/svn/shtrom/scripts@497 1991c358-8f32-0410-a49a-990740bdf4c2
Diffstat (limited to 'openbsd')
-rwxr-xr-xopenbsd/denyhost.sh46
1 files changed, 46 insertions, 0 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh
new file mode 100755
index 0000000..8e5ad05
--- /dev/null
+++ b/openbsd/denyhost.sh
@@ -0,0 +1,46 @@
+#!/bin/ksh
+# $Id$
+# Script to trawl logs for nastiness and log bad IP addresses
+# From http://netnix.blogspot.com/2005/06/openbsd-ssh-protection.html
+# Logging features by Olivier Mehanio <shtrom-openbsd@ssji.net>
+#
+AUTHLOG=/var/log/authlog
+NUM_TRIES=3
+NEW_FILE=`mktemp /var/tmp/blockers.list.XXXXXX`
+
+SSH_INVALID_USERS=`grep 'Invalid user' $AUTHLOG | awk '{ print $10 }' | sort -u`
+
+for iu in $SSH_INVALID_USERS; do
+ num=`grep $iu $AUTHLOG | grep 'Invalid user' | wc -l`
+ if [ $num -gt $NUM_TRIES ]; then
+ echo "$iu" >> /var/tmp/invalid_users.list
+ fi
+done
+
+cat /var/tmp/invalid_users.list | sort -u > /var/tmp/invalid_users.list
+
+SSH_FAILED_PASSWORD=`grep 'Failed password for' $AUTHLOG | grep -v 'invalid user' | awk '{ print $11 }' | sort -u`
+
+for fp in $SSH_FAILED_PASSWORD; do
+ num=`grep $fp $AUTHLOG | grep 'Failed password for' | grep -v 'invalid user' | wc -l`
+ if [ $num -gt $NUM_TRIES ]; then
+ echo "$fp" >> /var/tmp/failed_passwords.list
+ fi
+done
+
+cat /var/tmp/failed_passwords.list | sort -u > /var/tmp/failed_passwords.list
+
+cat /var/tmp/invalid_users.list /var/tmp/failed_passwords.list | sort -u > $NEW_FILE
+
+for IP in `grep -v -F /var/tmp/blockers.list $NEW_FILE`; do
+ echo "New offending IP: $IP"
+ echo "Host and WHOIS information"
+ host $IP
+ whois $IP
+ echo "Incriminated logs:"
+ grep $IP $AUTHLOG
+ echo
+done
+
+mv $NEW_FILE /var/tmp/blockers.list
+pfctl -t kiddies -vTadd -f /var/tmp/blockers.list > /dev/null