Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorshtrom <shtrom@1991c358-8f32-0410-a49a-990740bdf4c2>2009-05-18 13:45:38 +0000
committershtrom <shtrom@1991c358-8f32-0410-a49a-990740bdf4c2>2009-05-18 13:45:38 +0000
commitf0ca57582c64ccecf8731cbf6357c7f68b644ae9 (patch)
tree621e91a9246715619abf10e065e20e004050cabe /openbsd
parentb583bc381fa2ffb81ce3944fee27f5d3712307f3 (diff)
[Op[enBSD scripts] More detailed email report.
git-svn-id: svn+ssh://scm.narf.ssji.net/svn/shtrom/scripts@539 1991c358-8f32-0410-a49a-990740bdf4c2
Diffstat (limited to 'openbsd')
-rwxr-xr-xopenbsd/denyhost.sh56
1 files changed, 39 insertions, 17 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh
index 189fa0f..064b116 100755
--- a/openbsd/denyhost.sh
+++ b/openbsd/denyhost.sh
@@ -6,42 +6,64 @@
#
AUTHLOG=/var/log/authlog
NUM_TRIES=3
-NEW_FILE=`mktemp /var/tmp/blockers.list.XXXXXX`
+TMP_DIR=/var/tmp
+NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/blockers.list.XXXXXX`
+DEST_ADDR=root@distant-sun.narf.ssji.net
SSH_INVALID_USERS=`grep 'Invalid user' $AUTHLOG | awk '{ print $10 }' | sort -u`
for iu in $SSH_INVALID_USERS; do
num=`grep $iu $AUTHLOG | grep 'Invalid user' | wc -l`
if [ $num -gt $NUM_TRIES ]; then
- echo "$iu" >> /var/tmp/invalid_users.list
+ echo "$iu" >> ${TMP_DIR}/invalid_users.list
fi
done
-cat /var/tmp/invalid_users.list | sort -u > /var/tmp/invalid_users.list
+cat ${TMP_DIR}/invalid_users.list | sort -u > ${TMP_DIR}/invalid_users.list
SSH_FAILED_PASSWORD=`grep 'Failed password for' $AUTHLOG | grep -v 'invalid user' | awk '{ print $11 }' | sort -u`
for fp in $SSH_FAILED_PASSWORD; do
num=`grep $fp $AUTHLOG | grep 'Failed password for' | grep -v 'invalid user' | wc -l`
if [ $num -gt $NUM_TRIES ]; then
- echo "$fp" >> /var/tmp/failed_passwords.list
+ echo "$fp" >> ${TMP_DIR}/failed_passwords.list
fi
done
-cat /var/tmp/failed_passwords.list | sort -u > /var/tmp/failed_passwords.list
+cat ${TMP_DIR}/failed_passwords.list | sort -u > ${TMP_DIR}/failed_passwords.list
-cat /var/tmp/invalid_users.list /var/tmp/failed_passwords.list | sort -u > $NEW_FILE
+cat ${TMP_DIR}/invalid_users.list ${TMP_DIR}/failed_passwords.list | sort -u > $NEW_BLOCKERS_FILE
-pfctl -t kiddies -vTshow | grep -v Cleared | sed "s/ //g" | sort -n > /var/tmp/blockers.list
-for IP in `grep -v -f /var/tmp/blockers.list $NEW_FILE`; do
- echo "New offending IP: $IP"
- echo "Host and WHOIS information"
- host $IP
- whois $IP
- echo "Incriminated logs:"
- grep $IP $AUTHLOG | grep -v "Received disconnect"
- echo
+pfctl -t kiddies -vTshow | grep -v Cleared | sed "s/ //g" | sort -n > ${TMP_DIR}/blockers.list
+for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do
+ HOST_FILE=`mktemp ${TMP_DIR}/host.XXXXXX`
+ host $IP > $HOST_FILE
+ HOSTS=`gsed -n "s/.*\(:\|domain name pointer\) \(.\+\)/\2/p" $HOST_FILE | \
+ gsed ':a N;s/\n/, /g; ta'`
+
+ WHOIS_FILE=`mktemp ${TMP_DIR}/whois.XXXXXX`
+ whois $IP > $WHOIS_FILE
+ ABUSE=`grep -v changed $WHOIS_FILE | gsed -n "s/.* \([-+\._A-Za-z0-9]\+@\([-A-Za-z0-9]\+\.\)\+[A-Za-z]\+\).*/\1/p" | \
+ sort | uniq | gsed ':a N;s/\n/, /g; ta'`
+
+ LOGIN_FILE=`mktemp ${TMP_DIR}/logins.list.XXXXXX`
+ grep $IP $AUTHLOG | grep -v "Received disconnect" > $LOGIN_FILE
+ LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $LOGIN_FILE | \
+ sort | uniq | gsed ':a N;s/\n/, /g; ta'`
+ (
+ echo "New offending IP: $IP"
+ echo "Hostnames: $HOSTS"
+ echo "Abuse addresses: $ABUSE"
+ echo "Usernames tried: $LOGINS"
+ echo
+ echo "Host and WHOIS information:"
+ cat $HOST_FILE
+ cat $WHOIS_FILE
+ echo "Incriminating logs:"
+ cat $LOGIN_FILE
+ ) | mail -s "Host ${HOST:-$IP} is compromized" $DEST_ADDR
+ rm -f $HOST_FILE $WHOIS_FILE $LOGIN_FILE
done
-mv $NEW_FILE /var/tmp/blockers.list
-pfctl -t kiddies -vTadd -f /var/tmp/blockers.list 2>&1 1>/dev/null | grep -v "^0" || true
+mv $NEW_BLOCKERS_FILE ${TMP_DIR}/blockers.list
+(pfctl -t kiddies -vTadd -f ${TMP_DIR}/blockers.list 2>&1 1>/dev/null | grep -v "^0" || true) > /dev/null