diff options
| author | Olivier Mehani <shtrom@ssji.net> | 2016-08-16 21:20:43 +1000 |
|---|---|---|
| committer | Olivier Mehani <shtrom@ssji.net> | 2016-08-16 21:20:43 +1000 |
| commit | fc93de888539ecc86b0e674bbf588489ae5d1c8b (patch) | |
| tree | 7e297a0febbd43d68e0c7bd7b65756bb7e7e534f /openbsd | |
| parent | 26cdd9d53cd99573862d8d14f26cc2cf99d1aabd (diff) | |
[denyhosts] Refactor a good'un
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
Diffstat (limited to 'openbsd')
| -rwxr-xr-x | openbsd/denyhost.sh | 99 |
1 files changed, 58 insertions, 41 deletions
diff --git a/openbsd/denyhost.sh b/openbsd/denyhost.sh index 8c757f7..5d0385b 100755 --- a/openbsd/denyhost.sh +++ b/openbsd/denyhost.sh @@ -1,5 +1,4 @@ #!/bin/sh -# $Id$ # Script to trawl logs for nastiness and log bad IP addresses # From http://netnix.blogspot.com/2005/06/openbsd-ssh-protection.html # Warning and whitelist features by Olivier Mehani <shtrom-openbsd@ssji.net> @@ -17,12 +16,21 @@ # or by creating file /etc/whitelist (adding it to /etc/changelist may # also be a good idea) # -PATH=/usr/local/bin:$PATH -AUTHLOG=/var/log/authlog -NUM_TRIES=3 + +LOCAL_ADDR=root@`hostname` +HTTP_LOG=/srv/www/log/access_log +HTTP_PATTERN="etc.passwd" +SSH_LOG=/var/log/authlog +SSH_PATTERN=".*(Invalid user|Failed password).*from ([0-9.]+).*" +AUTHTRIES=3 # single digit +BLOCKERS_FILE=/etc/blockers.list TMP_DIR=/var/tmp + +PATH=/usr/local/bin:$PATH + NEW_BLOCKERS_FILE=`mktemp ${TMP_DIR}/blockers.list.XXXXXX` -DEST_ADDR=root@`hostname` +HTTP_FILTERED_LOG=`mktemp ${TMP_DIR}/http.log.XXXXXX` +SSH_FILTERED_LOG=`mktemp ${TMP_DIR}/ssh.log.XXXXXX` PIDFILE=/var/run/denyhost.sh.pid MAIL=mail @@ -46,10 +54,14 @@ function process_ip whois $IP > $WHOIS_FILE ABUSE=`extract_email $WHOIS_FILE` - LOGIN_FILE=`mktemp ${TMP_DIR}/logins.list.XXXXXX` - grep $IP $AUTHLOG | grep -v "Received disconnect" > $LOGIN_FILE - LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $LOGIN_FILE | \ + HTTP_HOST_LOG=`mktemp ${TMP_DIR}/host_http.log.XXXXXX` + grep $IP $HTTP_FILTERED_LOG > $HTTP_HOST_LOG + + SSH_HOST_LOG=`mktemp ${TMP_DIR}/host_ssh.log.XXXXXX` + grep $IP $SSH_FILTERED_LOG > $SSH_HOST_LOG + LOGINS=`gsed -n "s/.*sshd\[[0-9]\+\]: \(Invalid user\|Failed password for\( invalid user\)\?\) \([^[:space:]]\+\) from.*/\3/p" $SSH_HOST_LOG | \ sort | uniq | gsed ':a N;s/\n/, /g; ta'` + if [ -z "$ABUSE" ]; then NETS=`gsed -n "s/.*\(NET-[-0-9]\+\).*/\1/p" $WHOIS_FILE` for NET in $NETS; do @@ -57,9 +69,18 @@ function process_ip done ABUSE=`extract_email $WHOIS_FILE` fi + if [ ! -z "$ABUSE" ]; then + DEST_ADDR="$ABUSE" + CC_ADDR="$LOCAL_ADDR" + SUBJECT="Host $IP is compromised" + else + DEST_ADDR="${LOCAL_ADDR}" + SUBJECT="Host $IP (admin unknown) is compromised" + fi ( -cat << EOF + if [ -z "$ABUSE" ]; then + cat << EOF Greetings, [ This is an automated email, please report any problem to @@ -75,33 +96,25 @@ connection attempts at the bottom. Could you please take this machine down for cleanup, or forward this message to its administrator in charge. -Offending IP: $IP -Hostnames: $HOSTS -Abuse addresses: $ABUSE -Usernames tried: $LOGINS - -Host and WHOIS information: EOF - cat $HOST_FILE - cat $WHOIS_FILE - echo "Incriminating logs:" - cat $LOGIN_FILE - ) | $MAIL -c $DEST_ADDR -s "Host $IP is compromised" $ABUSE - else - ( - echo "Offending IP: $IP" - echo "Hostnames: $HOSTS" - echo "Abuse addresses: $ABUSE" - echo "Usernames tried: $LOGINS" - echo - echo "Host and WHOIS information:" - cat $HOST_FILE - cat $WHOIS_FILE - echo "Incriminating logs:" - cat $LOGIN_FILE - ) | $MAIL -s "Host $IP (admin unknown) is compromised" $DEST_ADDR fi - rm -f $HOST_FILE $WHOIS_FILE $LOGIN_FILE + echo "Offending IP: $IP" + echo "Hostnames: $HOSTS" + echo "Abuse addresses: $ABUSE" + echo "Usernames tried: $LOGINS" + echo + echo "Host and WHOIS information:" + cat $HOST_FILE + cat $WHOIS_FILE + echo + echo "Incriminating logs (HTTP):" + cat $HTTP_HOST_LOG + echo + echo "Incriminating logs (SSH):" + cat $SSH_HOST_LOG + ) | $MAIL -c ${CC} -s "${SUBJECT}" $DEST_ADDR + + rm -f $HOST_FILE $WHOIS_FILE $SSH_HOST_LOG $HTTP_HOST_LOG } function extract_email @@ -126,16 +139,20 @@ function extract_email echo -n > {$NEW_BLOCKERS_FILE} # HTTP exploiters -grep etc.passwd /srv/www/logs/access_log | cut -d" " -f 2 | uniq >> ${NEW_BLOCKERS_FILE} +grep -v -f ${BLOCKERS_FILE} ${HTTP_LOG} > ${HTTP_FILTERED_LOG} +grep ${HTTP_PATTERN} ${HTTP_FILTERED_LOG} | cut -d" " -f 2 | \ + uniq >> ${NEW_BLOCKERS_FILE} # SSH exploiters -sed -En "s/.*(Invalid user|Failed password).*from ([0-9.]+).*/\2/p" ${AUTHLOG} | \ +grep -v "Received disconnect" ${SSH_LOG} | \ + grep -v -f ${BLOCKERS_FILE} | \ + > ${SSH_FILTERED_LOG} +sed -En "s/${SSH_PATTERN}/\2/p" ${SSH_FILTERED_LOG} | \ sort | uniq -c | \ - sed "/^ *[1-$NUM_TRIES] */d;s/.* //" \ + sed "/^ *[1-$AUTHTRIES] */d;s/.* //" \ >> ${NEW_BLOCKERS_FILE} -pfctl -t kiddies -Tshow | sed "s/ //g" | sort -n > ${TMP_DIR}/blockers.list -for IP in `grep -v -f ${TMP_DIR}/blockers.list $NEW_BLOCKERS_FILE`; do +for IP in `cat $NEW_BLOCKERS_FILE`; do process_ip $IP done @@ -144,6 +161,6 @@ pfctl -t kiddies -T expire 25200 1>/dev/null 2>&1 # Add new entries pfctl -t kiddies -Tadd -f ${NEW_BLOCKERS_FILE} 1>/dev/null 2>&1 -mv ${NEW_BLOCKERS_FILE} /etc/blockers.list +mv ${NEW_BLOCKERS_FILE} ${BLOCKERS_FILE} -rm $PIDFILE +rm ${HTTP_FILTERED_LOG} ${SSH_FILTERED_LOG} ${PIDFILE} |
