Current location

narf Source control manager Git

summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlivier Mehani <shtrom@ssji.net>2016-08-16 21:20:43 +1000
committerOlivier Mehani <shtrom@ssji.net>2016-08-16 21:20:43 +1000
commitfc93de888539ecc86b0e674bbf588489ae5d1c8b (patch)
tree7e297a0febbd43d68e0c7bd7b65756bb7e7e534f /openbsd
parent26cdd9d53cd99573862d8d14f26cc2cf99d1aabd (diff)
[denyhosts] Refactor a good'un
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
Diffstat (limited to 'openbsd')
-rwxr-xr-xopenbsd/denyhost.sh99
1 files changed, 58 insertions, 41 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh
index 8c757f7..5d0385b 100755
--- a/openbsd/denyhost.sh
+++ b/openbsd/denyhost.sh
@@ -1,5 +1,4 @@
#!/bin/sh
-# $Id$
# Script to trawl logs for nastiness and log bad IP addresses
# From http://netnix.blogspot.com/2005/06/openbsd-ssh-protection.html
# Warning and whitelist features by Olivier Mehani <shtrom-openbsd@ssji.net>
@@ -17,12 +16,21 @@
# or by creating file /etc/whitelist (adding it to /etc/changelist may
# also be a good idea)
#
-PATH=/usr/local/bin:$PATH
-AUTHLOG=/var/log/authlog
-NUM_TRIES=3
+
+LOCAL_ADDR=root@`hostname`
+HTTP_LOG=/srv/www/log/access_log
+HTTP_PATTERN="etc.passwd"
+SSH_LOG=/var/log/authlog
+SSH_PATTERN=".*(Invalid user|Failed password).*from ([0-9.]+).*"
+AUTHTRIES=3 # single digit
+BLOCKERS_FILE=/etc/blockers.list
TMP_DIR=/var/tmp
+
+PATH=/usr/local/bin:$PATH
+
NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/blockers.list.XXXXXX`
-DEST_ADDR=root@`hostname`
+HTTP_FILTERED_LOG=`mktemp ${TMP_DIR}/http.log.XXXXXX`
+SSH_FILTERED_LOG=`mktemp ${TMP_DIR}/ssh.log.XXXXXX`
PIDFILE=/var/run/denyhost.sh.pid
MAIL=mail
@@ -46,10 +54,14 @@ function process_ip
whois $IP > $WHOIS_FILE
ABUSE=`extract_email $WHOIS_FILE`
- LOGIN_FILE=`mktemp ${TMP_DIR}/logins.list.XXXXXX`
- grep $IP $AUTHLOG | grep -v "Received disconnect" > $LOGIN_FILE
- LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $LOGIN_FILE | \
+ HTTP_HOST_LOG=`mktemp ${TMP_DIR}/host_http.log.XXXXXX`
+ grep $IP $HTTP_FILTERED_LOG > $HTTP_HOST_LOG
+
+ SSH_HOST_LOG=`mktemp ${TMP_DIR}/host_ssh.log.XXXXXX`
+ grep $IP $SSH_FILTERED_LOG > $SSH_HOST_LOG
+ LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $SSH_HOST_LOG | \
sort | uniq | gsed ':a N;s/\n/, /g; ta'`
+
if [ -z "$ABUSE" ]; then
NETS=`gsed -n "s/.*\(NET-[-0-9]\+\).*/\1/p" $WHOIS_FILE`
for NET in $NETS; do
@@ -57,9 +69,18 @@ function process_ip
done
ABUSE=`extract_email $WHOIS_FILE`
fi
+
if [ ! -z "$ABUSE" ]; then
+ DEST_ADDR="$ABUSE"
+ CC_ADDR="$LOCAL_ADDR"
+ SUBJECT="Host $IP is compromised"
+ else
+ DEST_ADDR="${LOCAL_ADDR}"
+ SUBJECT="Host $IP (admin unknown) is compromised"
+ fi
(
-cat << EOF
+ if [ -z "$ABUSE" ]; then
+ cat << EOF
Greetings,
[ This is an automated email, please report any problem to
@@ -75,33 +96,25 @@ connection attempts at the bottom.
Could you please take this machine down for cleanup, or forward this
message to its administrator in charge.
-Offending IP: $IP
-Hostnames: $HOSTS
-Abuse addresses: $ABUSE
-Usernames tried: $LOGINS
-
-Host and WHOIS information:
EOF
- cat $HOST_FILE
- cat $WHOIS_FILE
- echo "Incriminating logs:"
- cat $LOGIN_FILE
- ) | $MAIL -c $DEST_ADDR -s "Host $IP is compromised" $ABUSE
- else
- (
- echo "Offending IP: $IP"
- echo "Hostnames: $HOSTS"
- echo "Abuse addresses: $ABUSE"
- echo "Usernames tried: $LOGINS"
- echo
- echo "Host and WHOIS information:"
- cat $HOST_FILE
- cat $WHOIS_FILE
- echo "Incriminating logs:"
- cat $LOGIN_FILE
- ) | $MAIL -s "Host $IP (admin unknown) is compromised" $DEST_ADDR
fi
- rm -f $HOST_FILE $WHOIS_FILE $LOGIN_FILE
+ echo "Offending IP: $IP"
+ echo "Hostnames: $HOSTS"
+ echo "Abuse addresses: $ABUSE"
+ echo "Usernames tried: $LOGINS"
+ echo
+ echo "Host and WHOIS information:"
+ cat $HOST_FILE
+ cat $WHOIS_FILE
+ echo
+ echo "Incriminating logs (HTTP):"
+ cat $HTTP_HOST_LOG
+ echo
+ echo "Incriminating logs (SSH):"
+ cat $SSH_HOST_LOG
+ ) | $MAIL -c ${CC} -s "${SUBJECT}" $DEST_ADDR
+
+ rm -f $HOST_FILE $WHOIS_FILE $SSH_HOST_LOG $HTTP_HOST_LOG
}
function extract_email
@@ -126,16 +139,20 @@ function extract_email
echo -n > {$NEW_BLOCKERS_FILE}
# HTTP exploiters
-grep etc.passwd /srv/www/logs/access_log | cut -d" " -f 2 | uniq >> ${NEW_BLOCKERS_FILE}
+grep -v -f ${BLOCKERS_FILE} ${HTTP_LOG} > ${HTTP_FILTERED_LOG}
+grep ${HTTP_PATTERN} ${HTTP_FILTERED_LOG} | cut -d" " -f 2 | \
+ uniq >> ${NEW_BLOCKERS_FILE}
# SSH exploiters
-sed -En "s/.*(Invalid user|Failed password).*from ([0-9.]+).*/\2/p" ${AUTHLOG} | \
+grep -v "Received disconnect" ${SSH_LOG} | \
+ grep -v -f ${BLOCKERS_FILE} | \
+ > ${SSH_FILTERED_LOG}
+sed -En "s/${SSH_PATTERN}/\2/p" ${SSH_FILTERED_LOG} | \
sort | uniq -c | \
- sed "/^ *[1-$NUM_TRIES] */d;s/.* //" \
+ sed "/^ *[1-$AUTHTRIES] */d;s/.* //" \
>> ${NEW_BLOCKERS_FILE}
-pfctl -t kiddies -Tshow | sed "s/ //g" | sort -n > ${TMP_DIR}/blockers.list
-for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do
+for IP in `cat $NEW_BLOCKERS_FILE`; do
process_ip $IP
done
@@ -144,6 +161,6 @@ pfctl -t kiddies -T expire 25200 1>/dev/null 2>&1
# Add new entries
pfctl -t kiddies -Tadd -f ${NEW_BLOCKERS_FILE} 1>/dev/null 2>&1
-mv ${NEW_BLOCKERS_FILE} /etc/blockers.list
+mv ${NEW_BLOCKERS_FILE} ${BLOCKERS_FILE}
-rm $PIDFILE
+rm ${HTTP_FILTERED_LOG} ${SSH_FILTERED_LOG} ${PIDFILE}