Bash script to block SSH access...

/dev/random · 12-07-2013, 06:03 AM

Hey guys, I was wondering if you could help me finish this script.

My script finds the number of failed entries in /var/log/secure* grabs the IP address then compares it to iptables -L and if the number of failed attempts is greater then 5 it will add a rule to drop them if one doesn't exist.... but now I want to add time into the mix...

I want to take the entries I have and compare the time they attempted to login, if they have tried to log in 5 times in less then 60 seconds black_list them.

Here is my basic loop

Code:

#!/bin/sh

IPTABLES=/sbin/iptables
TMPFILE=/tmp/gotcha.tmp
LOGGER=/var/log/gotcha.log
LOGFILES=/var/log/secure*

if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

main() {
# Check the age of the file by comaping the inode number.
inode_check=$(stat -c '%i' /var/log/secure |cut -f2 -d " " |cut -f1 -d ".")
current_inode=$inode_check

grep -E "sshd.+Failed" $LOGFILES |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort | uniq -c > $TMPFILE 
# If the inode number changes, reread the data
if [ $current_inode != $inode_check ]; then
        echo "Log has been rotated while data was read, re-reading"
        rm -rf $TMPFILE
        grep -E "sshd.+Failed" $LOGFILES |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |sort | uniq -c > $TMPFILE
fi

exec < $TMPFILE

IPTABCHK=$(iptables -L |grep DROP |cut -f3 -d "-" |cut -d " " -f3)
while read COUNT IPADDR ; do

        if [ "$IPADDR" != "$IPTABCHK" ]; then
                if [ "$COUNT" -ge "$N_FAIL" ]; then
                        $IPTABLES -A INPUT -s $IPADDR -j DROP
                        echo "$IPADDR ($COUNT failures) added to the block list" >> $LOGGER
                fi
        fi
done

rm -rf $TMPFILE
}


usage

unSpawn · 12-07-2013, 06:47 AM

- Don't use predictable temporary file names ('man mktemp'),
- use ipset (if you can) instead of the iptables filter table INPUT chain,
- use grep efficiently, for example with '(zgrep filez; grep file) | doSomething;',
- store already seen / blocked IP addresses for efficiency reasons (if you're using ipset they're already in the set, else an sqlite3 database is quite fast),
- "5 times in less then 60 seconds" means you won't block slow scanners,
- but most importantly you're reinventing the wheel: see fail2ban!
Probably not the comments you were looking for but valid comments nonetheless.

As for your question: try storing per IP epoch and counter?

dwhitney67 · 12-07-2013, 09:00 AM

Quote:

Originally Posted by unSpawn

- but most importantly you're reinventing the wheel: see fail2ban!

Agreed. Another tool available is denyhosts.

/dev/random · 12-07-2013, 02:37 PM

It's not really for production guys, its so I can learn how it works, its only for my educational purposes only.

unSpawn · 12-07-2013, 03:08 PM

FWIW I'm not seeing you respond to comments in a detailed way nor do I see any ideas / (pseudo) code how you intend to implement a counter?

/dev/random · 12-07-2013, 03:51 PM

Well I had an idea of doing this

Code:

while read p; do
        ATTACKER=$(echo $p | cut -f2 -d " ")
        ATTACK_TIME=$(grep $ATTACKER $LOGFILES| sed -e "s/ \+ / /g" |grep -E "sshd.+Failed"|cut -f3 -d " ")
        
done < $TMPFILE

this will get me something that will look like this:
10.0.0.3 04:45:21 04:45:23 04:45:24
10.0.0.4 04:47:02 04:47:03 04:47:04
192.168.89.4 08:24:37

I was hoping on storing the times in an array then some how comparing them and if they are below xxx time then block the ip, but I see multiple problems, the list this generates is not set, meaning it will not always be 3 sets of time, could be 5 times I need to compare to see if they are a certain time apart.

unSpawn · 12-08-2013, 05:15 AM

Use epoch, that's easier to store (int) and compare (numerically):

Code:

grep -iE "sshd.*(failed|refused)" logfile 2>/dev/null | awk '{print $1, $2, $3, $NF}' 2>/dev/null | while read LINE; do
 LINE=(${LINE}); EPOCH=$(date --date="${LINE[0]} ${LINE[1]} ${LINE[2]}" +%s 2>/dev/null); IP=${LINE[3]}
 # ..