From: Michael L Benjamin (mike.benjaminclarinet.com.au)
Date: Sun Sep 04 2005 - 23:24:19 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
From: francisco [mailto:friscoblackant.net]
Sent: Sunday, September 04, 2005 01:49 AM
To: Michael L Benjamin
Subject: RE: [Full-disclosure] SSH Bruteforce blocking script

On Fri, 2 Sep 2005, Michael L Benjamin wrote:

>
> It's an idea.
>
> Involves calling another process though. I think the shell has enough
> tools to adequately create a secure temp file if I go about it in the
> right way. :-)

That's a silly argument since your script already calls other proceses
that you don't need to, and your mktemp substitute involves calling 3
other processes instead of 1 (i think you might also need to -f too in
case someone races you to a symlink or fifo). mktemp is designed to
make secure temporary files; it's the right tool for the job.

Here are a few cleanups of your script:

> tail -10000 ${LOG_FILE} | grep "Failed password for illegal user" |
> awk -F"from" {'print $2'} | awk {'print $1'} | uniq > ${TMP_FILE}

Whenever you see an awk following a grep, chances are the grep isn't
necessary:

tail -10000 ${LOG_FILE} |
awk -F"from" /Failed password for illegal user/{'print $2'} | awk
{'print $1'}| uniq > ${TMP_FILE}

The two awk's could probably be combined as well, but that's beyond my
time limits.

> GUESS_COUNT=$(grep "from ${INBOUND_IP}" /var/log/secure | grep "Failed

> password for" | wc -l | awk {'print $1'})

The last awk would only be necessary if wc were given a filename. As
is, the filename is blank and that awk can be removed:

GUESS_COUNT=$(grep "from ${INBOUND_IP}" /var/log/secure | grep "Failed
password for" | wc -l)

Usually two greps in a row aren't necessary either. The regex could be
written a number of ways, here's one:

GUESS_COUNT=$(grep 'Failed password for .*'"from ${INBOUND_IP}"
/var/log/secure | wc -l)

I think you want to pad that ${INBOUND_IP} with a space at the end too,
so that someone attacking from 10.0.0.1 doesn't affect everyone else in
10.0.0.1*.

Personally, i have a couple OpenBSD firewalls protecting most of my
stuff, and use pf and max-src-conn-rate to limit the number of
connections per time period, similar to iptables hashlimit.

The code above was tested on FC3 so there may be some incompatibilities
with RHEL3 - i'm not really familiar with RHEL anymore. Also, i just
woke up and my eyes are still blurry.

Good luck,

-f
http://www.blackant.net/

------------------------------------------------------------------------
---

Thanks for all the suggestions. I'll see what I can do to tighten the
code up. You can see I didn't spend too much time trying to get the
regex in there, I will do that at some point.

FC3 should be totally portable to RHEL3/4 from a simple scripting
perspective like this.

RHEL3 Runs (#)PD KSH v5.2.14 99/07/13.2 (if you are at the latest
update level) and I expect FC3 is not far behind from a version
perspective, so effectively there should be no difference between
platforms in this situation.

Cheers, Mike.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]