| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Sep 5 05:24:29 2005
From: mike.benjamin at clarinet.com.au (Michael L Benjamin)
Subject: FW: SSH Bruteforce blocking script
-----Original Message-----
From: francisco [mailto:frisco@...ckant.net]
Sent: Sunday, September 04, 2005 01:49 AM
To: Michael L Benjamin
Subject: RE: [Full-disclosure] SSH Bruteforce blocking script
On Fri, 2 Sep 2005, Michael L Benjamin wrote:
>
> It's an idea.
>
> Involves calling another process though. I think the shell has enough
> tools to adequately create a secure temp file if I go about it in the
> right way. :-)
That's a silly argument since your script already calls other proceses
that you don't need to, and your mktemp substitute involves calling 3
other processes instead of 1 (i think you might also need to -f too in
case someone races you to a symlink or fifo). mktemp is designed to
make secure temporary files; it's the right tool for the job.
Here are a few cleanups of your script:
> tail -10000 ${LOG_FILE} | grep "Failed password for illegal user" |
> awk -F"from" {'print $2'} | awk {'print $1'} | uniq > ${TMP_FILE}
Whenever you see an awk following a grep, chances are the grep isn't
necessary:
tail -10000 ${LOG_FILE} |
awk -F"from" /Failed password for illegal user/{'print $2'} | awk
{'print $1'}| uniq > ${TMP_FILE}
The two awk's could probably be combined as well, but that's beyond my
time limits.
> GUESS_COUNT=$(grep "from ${INBOUND_IP}" /var/log/secure | grep "Failed
> password for" | wc -l | awk {'print $1'})
The last awk would only be necessary if wc were given a filename. As
is, the filename is blank and that awk can be removed:
GUESS_COUNT=$(grep "from ${INBOUND_IP}" /var/log/secure | grep "Failed
password for" | wc -l)
Usually two greps in a row aren't necessary either. The regex could be
written a number of ways, here's one:
GUESS_COUNT=$(grep 'Failed password for .*'"from ${INBOUND_IP}"
/var/log/secure | wc -l)
I think you want to pad that ${INBOUND_IP} with a space at the end too,
so that someone attacking from 10.0.0.1 doesn't affect everyone else in
10.0.0.1*.
Personally, i have a couple OpenBSD firewalls protecting most of my
stuff, and use pf and max-src-conn-rate to limit the number of
connections per time period, similar to iptables hashlimit.
The code above was tested on FC3 so there may be some incompatibilities
with RHEL3 - i'm not really familiar with RHEL anymore. Also, i just
woke up and my eyes are still blurry.
Good luck,
-f
http://www.blackant.net/
------------------------------------------------------------------------
---
Thanks for all the suggestions. I'll see what I can do to tighten the
code up. You can see I didn't spend too much time trying to get the
regex in there, I will do that at some point.
FC3 should be totally portable to RHEL3/4 from a simple scripting
perspective like this.
RHEL3 Runs @(#)PD KSH v5.2.14 99/07/13.2 (if you are at the latest
update level) and I expect FC3 is not far behind from a version
perspective, so effectively there should be no difference between
platforms in this situation.
Cheers, Mike.
Powered by blists - more mailing lists