On Thu, 2004-10-28 at 18:45, John Aldrich wrote:
> On Thursday 28 October 2004 03:37 am, HaJo Schatz wrote:
> >
> > I have hacked a script which tails /var/log/secure and reacts on attempts
> > to log in as root with password. Such offending IPs are then denied port
> > 22 access. Any comments, positive or negative, on this?
> >
> Oooh... care to post it? I like the sounds of that. :-)
> Thanks
Sure, dead simple anyway. You can source the resulting blackist.txt e.g.
in hosts.deny where you might want to block ssh access only.
Alternatively, use the IPs as new rules for your firewall. Note that the
blacklist.txt file has to exist for the script to run (lazy me ;)).
BTW, thanks guys for all your comments. I'm more worried about an
accidential PW discovery on a user name than a DOS, so I think my chosen
path should be OK. PW authentication is a must for users connecting from
unknown IPs (whereas I have of course disabled root PW access). I'll
have a look into snort though...
================
#!/usr/bin/perl
#
# Remember to restart this daemon after rotating the secure-log!!!
#
use strict;
# Config
my $BL = "/opt/sshBruteDetect/blacklist.txt";
my $LOG = "/var/log/secure";
my $IP;
my $found;
open F, "tail -n -0 -f $LOG |" or die "Could not open log file\n ERROR:
$!";
while(<F>)
{
if( $_ =~ /sshd.*Failed password for root from (.+) port/ )
{
$IP = $1;
open B, "$BL" or die "Could not read blacklist-file!\n ERROR: $!";
$found=0;
LOOP: while ( <B> )
{
if( $_ =~ /$IP/ )
{
$found=1;
last LOOP;
}
}
close B ;
if( !$found )
{
open B, ">> $BL" or die "Could not write to blacklist-file!\n
ERROR: $!";
print B "$IP\n";
close B;
}
}
}
--
HaJo Schatz <hajo@xxxxxxxx>
http://www.HaJo.Net
PGP-Key: http://www.hajo.net/hajonet/keys/pgpkey_hajo.txt
