commit a35e3c45ea475989f5a72068f641bb0564e9246d Author: Jack-Benny Persson Date: Thu Jan 26 02:38:56 2012 +0100 First push of files diff --git a/README b/README new file mode 100644 index 0000000..8c67837 --- /dev/null +++ b/README @@ -0,0 +1,57 @@ +SSH Block 2 + +I am glad to announce version 2 of the SSH Block script! +Version two contains many improvments over the earlier versions. + +A quick list with the best of version two: +- Total re-write of the code +- No more catting back and forth thruogh the script +- No more strange temp files in /Var/state/ssh_block +- ONE scriptfile for all system (Linux, FreeBSD, Solaris and Mac OS X) +- No more un-neccesary grepping. The script only "greps" if the size of the +log file has changed. This way it uses less system recuorces. +- The blocked IP's are now inserted directly into hosts.deny + +I came up with ideea of making a version two since I made the port to Solaris +and Mac OS X. I liked the code that came out of these two ports. Later on I +started thinking about what can be done about the script re-writing +the hosts.deny file every 10 second. So for this I added the logfile size check. +And I didn't like having 4 diffrent versions (5 if you count the iptable +version) of the script. So I made a "One for all" version. + +I hope version two of SSH Block will be appreciated both among version one users +aswell as among new users. + +Please drop me an e-mail with comments, bugs, improvments or just about +anything! + +This is the new SSH Block, simply called sshblock2. +It sould run out of the box on FreeBSD, Mac OS X, Linux and Solaris, though +there are some extra steps to make it work with Solaris (since TCP Wrappers +arn't enabled by default and no logging is done.) + + +NOTE TO SOLARIS USERS + +There are some things you have to do to your system before this script +will acually work under Solaris. +To start with, TCP Wrappers is not enabled by default on Solaris 10. How to +enable TCP Wrappers and some info about it can be found here: +http://www.sun.com/bigadmin/content/submitted/tcp_wrap_solaris10.html + +Second, you have to enable syslog logging of the ssh daemon. This is done by +editing /etc/syslog.conf. +Adding the following line will have sshd logging to /var/log/authlog + +auth.info /var/log/authlog + +Now you can run the script (as root) and it will block IP numbers of probing +hosts. The scripts will add this hosts to your /etc/hosts.deny file like this: + +#BEGIN_SSHBLOCK +sshd : 192.168.0.1 +sshd : 10.0.0.3 +#END_SSHBLOCK + +I would recommend to backup your /etc/hosts.deny and your /etc/syslog.conf +before making changes and running the script. diff --git a/sshblock2.sh b/sshblock2.sh new file mode 100755 index 0000000..ab9402a --- /dev/null +++ b/sshblock2.sh @@ -0,0 +1,216 @@ +#!/bin/bash + +################################################################################ +# # +# Copyright (C) 2006 Jack-Benny Persson # +# # +# This program is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +################################################################################ + +# Version 2.3 +# +# SSH Block 2 - A script that blocks SSH probing hosts in /etc/hosts.deny +# This is version two of SSH Block, wich is a total re-write of the original +# code. This version should work on Linux, FreeBSD, Solaris and Mac OS X. +# Please read the README file for more information. + +#If these users are trying to login via SSH, the host is instantly blocked. +#Be careful not to add users that normaly login via SSH here... +BLOCK_USERS=("mysql" "nobody") + +SLEEP_TIME=10 +OS=`uname` + +if [ "$OS" = "FreeBSD" ]; then + DENYFILE="/etc/hosts.allow" #Both allow and deny in one file on FreeBSD +elif [ "$OS" != "FreeBSD" ]; then + DENYFILE="/etc/hosts.deny" #The default way... +fi + + +if [ "$UID" -ne 0 ]; then + echo "Must be run as root" + exit 2 +fi + +#The default way... +print_ip() +{ + sort | uniq | sed -e 's/^/sshd : /' >> ${DENYFILE} +} + +#The FreeBSD way... +print_ip_freebsd() +{ + sort | uniq | sed -e 's/^/sshd : /' | sed -e 's/$/ : deny/' >> \ + ${DENYFILE} +} + +#Diffrent logfiles with diffrent syntax on diffrent systems... +SunOS_greplog() +{ + grep sshd /var/log/authlog | grep 'invalid user' \ + | awk '{print $15}' - | sort | uniq + + for i in ${BLOCK_USERS[*]}; do grep \ + "Failed keyboard-interactive for $i from" \ + /var/log/authlog; done | awk '{print $14}' - | sort | uniq +} + +FreeBSD_greplog() +{ + (grep 'Illegal user' /var/log/auth.log || \ + grep 'Invalid user' /var/log/auth.log) \ + | awk '{print $10}' - | sort | uniq + + for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \ + /var/log/auth.log; done | awk '{print $11}' - | sort | uniq +} + +OpenBSD_greplog() +{ + grep 'Invalid user' /var/log/authlog \ + | awk '{print $10}' - | sort | uniq + + for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \ + /var/log/authlog; done | awk '{print $11}' - | sort | uniq +} + +Linux_greplog() +{ + (grep '[Ii]nvalid user' /var/log/messages || \ + grep '[Ii]nvalid user' /var/log/auth.log || \ + grep '[Ii]llegal user' /var/log/secure || \ + grep '[Ii]llegal user' /var/log/messages || \ + grep '[Ii]nvalid user' /var/log/secure) \ + | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' - | sort | uniq + + for i in ${BLOCK_USERS[*]}; do grep \ + "Authentication failure for $i from" \ + /var/log/messages; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \ + - | sort | uniq + + for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \ + /var/log/messages; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \ + - | sort | uniq + + for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \ + /var/log/auth.log; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \ + - | sort | uniq + + for i in ${BLOCK_USERS[*]}; do grep \ + "Authentication failure for $i from" \ + /var/log/secure; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \ + - | sort | uniq +} + +Darwin_greplog() +{ + grep sshd /var/log/system.log | grep 'illegal user' \ + | awk '{print $15}' - | sort | uniq + + for i in ${BLOCK_USERS[*]}; do grep \ + "Authentication failure for $i from" \ + /var/log/system.log; done | - | awk '{print $13}' sort | uniq + +} + +SunOS_size() +{ + ls -l /var/log/authlog | awk '{print $5}' +} + +Darwin_size() +{ + ls -l /var/log/system.log | awk '{print $5}' +} + +FreeBSD_size() +{ + ls -l /var/log/auth.log | awk '{print $5}' +} + +OpenBSD_size() +{ + ls -l /var/log/authlog | awk '{print $5}' +} + +Linux_size() +{ + if [ -e /var/log/secure ] && [ -e /var/log/messages ]; then + A=`ls -l /var/log/secure | awk '{print $5}'` + B=`ls -l /var/log/messages | awk '{print $5}'` + let C=A+B + echo $C + elif [ -e /var/log/secure ]; then + ls -l /var/log/secure | awk '{print $5}' + elif [ -e /var/log/messages ]; then + ls -l /var/log/messages | awk '{print $5}' + fi +} + +touch ${DENYFILE} + +#Check if we have run SSH Block before.... +RUN_BEFORE=`grep -c "#BEGIN_SSHBLOCK" ${DENYFILE}` +if [ $RUN_BEFORE -gt 0 ]; then + echo "/#BEGIN_SSHBLOCK/,/#END_SSHBLOCK/d|x" \ + | ex -s ${DENYFILE} +fi + +OLD_SIZE=0 + +#Here we go! +( +while true +do + case "$OS" in + SunOS) SIZE=`SunOS_size` ;; + Darwin) SIZE=`Darwin_size` ;; + FreeBSD) SIZE=`FreeBSD_size` ;; + OpenBSD) SIZE=`OpenBSD_size` ;; + Linux) SIZE=`Linux_size` ;; + esac + if [ $OLD_SIZE -ne $SIZE ]; then + + BLOCK_EXIST=`grep -c "#BEGIN_SSHBLOCK" ${DENYFILE}` + if [ $BLOCK_EXIST -gt 0 ]; then + echo "/#BEGIN_SSHBLOCK/,/#END_SSHBLOCK/d|x" \ + | ex -s ${DENYFILE} + fi + + echo "#BEGIN_SSHBLOCK" >> ${DENYFILE} + case "$OS" in + SunOS) SunOS_greplog | print_ip ;; + FreeBSD) FreeBSD_greplog | print_ip_freebsd ;; + OpenBSD) OpenBSD_greplog | print_ip ;; + Linux) Linux_greplog | print_ip ;; + Darwin) Darwin_greplog | print_ip ;; + esac + echo "#END_SSHBLOCK" >> ${DENYFILE} + case "$OS" in + SunOS) OLD_SIZE=`SunOS_size` ;; + Darwin) OLD_SIZE=`Darwin_size` ;; + FreeBSD) OLD_SIZE=`FreeBSD_size` ;; + OpenBSD) OLD_SIZE=`OpenBSD_size` ;; + Linux) OLD_SIZE=`Linux_size` ;; + esac + sleep ${SLEEP_TIME} + else + sleep ${SLEEP_TIME} + fi +done +) 2> /dev/null &