jackbenny/sshblock2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First push of files

Browse Source
This commit is contained in:
Jack-Benny Persson 2012-01-26 02:38:56 +01:00
commit a35e3c45ea
2 changed files with 273 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
README Normal file
View File

@ -0,0 +1,57 @@
SSH Block 2
I am glad to announce version 2 of the SSH Block script!
Version two contains many improvments over the earlier versions.
A quick list with the best of version two:
- Total re-write of the code
- No more catting back and forth thruogh the script
- No more strange temp files in /Var/state/ssh_block
- ONE scriptfile for all system (Linux, FreeBSD, Solaris and Mac OS X)
- No more un-neccesary grepping. The script only "greps" if the size of the
log file has changed. This way it uses less system recuorces.
- The blocked IP's are now inserted directly into hosts.deny
I came up with ideea of making a version two since I made the port to Solaris
and Mac OS X. I liked the code that came out of these two ports. Later on I
started thinking about what can be done about the script re-writing
the hosts.deny file every 10 second. So for this I added the logfile size check.
And I didn't like having 4 diffrent versions (5 if you count the iptable
version) of the script. So I made a "One for all" version.
I hope version two of SSH Block will be appreciated both among version one users
aswell as among new users.
Please drop me an e-mail with comments, bugs, improvments or just about
anything!
This is the new SSH Block, simply called sshblock2.
It sould run out of the box on FreeBSD, Mac OS X, Linux and Solaris, though
there are some extra steps to make it work with Solaris (since TCP Wrappers
arn't enabled by default and no logging is done.)
NOTE TO SOLARIS USERS
There are some things you have to do to your system before this script
will acually work under Solaris.
To start with, TCP Wrappers is not enabled by default on Solaris 10. How to
enable TCP Wrappers and some info about it can be found here:
http://www.sun.com/bigadmin/content/submitted/tcp_wrap_solaris10.html
Second, you have to enable syslog logging of the ssh daemon. This is done by
editing /etc/syslog.conf.
Adding the following line will have sshd logging to /var/log/authlog
auth.info /var/log/authlog
Now you can run the script (as root) and it will block IP numbers of probing
hosts. The scripts will add this hosts to your /etc/hosts.deny file like this:
#BEGIN_SSHBLOCK
sshd : 192.168.0.1
sshd : 10.0.0.3
#END_SSHBLOCK
I would recommend to backup your /etc/hosts.deny and your /etc/syslog.conf
before making changes and running the script.

216
sshblock2.sh Executable file
View File

@ -0,0 +1,216 @@
#!/bin/bash
################################################################################
# #
# Copyright (C) 2006 Jack-Benny Persson <jake@cyberinfo.se> #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
################################################################################
# Version 2.3
#
# SSH Block 2 - A script that blocks SSH probing hosts in /etc/hosts.deny
# This is version two of SSH Block, wich is a total re-write of the original
# code. This version should work on Linux, FreeBSD, Solaris and Mac OS X.
# Please read the README file for more information.
#If these users are trying to login via SSH, the host is instantly blocked.
#Be careful not to add users that normaly login via SSH here...
BLOCK_USERS=("mysql" "nobody")
SLEEP_TIME=10
OS=`uname`
if [ "$OS" = "FreeBSD" ]; then
DENYFILE="/etc/hosts.allow" #Both allow and deny in one file on FreeBSD
elif [ "$OS" != "FreeBSD" ]; then
DENYFILE="/etc/hosts.deny" #The default way...
fi
if [ "$UID" -ne 0 ]; then
echo "Must be run as root"
exit 2
fi
#The default way...
print_ip()
{
sort | uniq | sed -e 's/^/sshd : /' >> ${DENYFILE}
}
#The FreeBSD way...
print_ip_freebsd()
{
sort | uniq | sed -e 's/^/sshd : /' | sed -e 's/$/ : deny/' >> \
${DENYFILE}
}
#Diffrent logfiles with diffrent syntax on diffrent systems...
SunOS_greplog()
{
grep sshd /var/log/authlog | grep 'invalid user' \
| awk '{print $15}' - | sort | uniq
for i in ${BLOCK_USERS[*]}; do grep \
"Failed keyboard-interactive for $i from" \
/var/log/authlog; done | awk '{print $14}' - | sort | uniq
}
FreeBSD_greplog()
{
(grep 'Illegal user' /var/log/auth.log || \
grep 'Invalid user' /var/log/auth.log) \
| awk '{print $10}' - | sort | uniq
for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \
/var/log/auth.log; done | awk '{print $11}' - | sort | uniq
}
OpenBSD_greplog()
{
grep 'Invalid user' /var/log/authlog \
| awk '{print $10}' - | sort | uniq
for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \
/var/log/authlog; done | awk '{print $11}' - | sort | uniq
}
Linux_greplog()
{
(grep '[Ii]nvalid user' /var/log/messages || \
grep '[Ii]nvalid user' /var/log/auth.log || \
grep '[Ii]llegal user' /var/log/secure || \
grep '[Ii]llegal user' /var/log/messages || \
grep '[Ii]nvalid user' /var/log/secure) \
| egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' - | sort | uniq
for i in ${BLOCK_USERS[*]}; do grep \
"Authentication failure for $i from" \
/var/log/messages; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \
- | sort | uniq
for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \
/var/log/messages; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \
- | sort | uniq
for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \
/var/log/auth.log; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \
- | sort | uniq
for i in ${BLOCK_USERS[*]}; do grep \
"Authentication failure for $i from" \
/var/log/secure; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \
- | sort | uniq
}
Darwin_greplog()
{
grep sshd /var/log/system.log | grep 'illegal user' \
| awk '{print $15}' - | sort | uniq
for i in ${BLOCK_USERS[*]}; do grep \
"Authentication failure for $i from" \
/var/log/system.log; done | - | awk '{print $13}' sort | uniq
}
SunOS_size()
{
ls -l /var/log/authlog | awk '{print $5}'
}
Darwin_size()
{
ls -l /var/log/system.log | awk '{print $5}'
}
FreeBSD_size()
{
ls -l /var/log/auth.log | awk '{print $5}'
}
OpenBSD_size()
{
ls -l /var/log/authlog | awk '{print $5}'
}
Linux_size()
{
if [ -e /var/log/secure ] && [ -e /var/log/messages ]; then
A=`ls -l /var/log/secure | awk '{print $5}'`
B=`ls -l /var/log/messages | awk '{print $5}'`
let C=A+B
echo $C
elif [ -e /var/log/secure ]; then
ls -l /var/log/secure | awk '{print $5}'
elif [ -e /var/log/messages ]; then
ls -l /var/log/messages | awk '{print $5}'
fi
}
touch ${DENYFILE}
#Check if we have run SSH Block before....
RUN_BEFORE=`grep -c "#BEGIN_SSHBLOCK" ${DENYFILE}`
if [ $RUN_BEFORE -gt 0 ]; then
echo "/#BEGIN_SSHBLOCK/,/#END_SSHBLOCK/d|x" \
| ex -s ${DENYFILE}
fi
OLD_SIZE=0
#Here we go!
(
while true
do
case "$OS" in
SunOS) SIZE=`SunOS_size` ;;
Darwin) SIZE=`Darwin_size` ;;
FreeBSD) SIZE=`FreeBSD_size` ;;
OpenBSD) SIZE=`OpenBSD_size` ;;
Linux) SIZE=`Linux_size` ;;
esac
if [ $OLD_SIZE -ne $SIZE ]; then
BLOCK_EXIST=`grep -c "#BEGIN_SSHBLOCK" ${DENYFILE}`
if [ $BLOCK_EXIST -gt 0 ]; then
echo "/#BEGIN_SSHBLOCK/,/#END_SSHBLOCK/d|x" \
| ex -s ${DENYFILE}
fi
echo "#BEGIN_SSHBLOCK" >> ${DENYFILE}
case "$OS" in
SunOS) SunOS_greplog | print_ip ;;
FreeBSD) FreeBSD_greplog | print_ip_freebsd ;;
OpenBSD) OpenBSD_greplog | print_ip ;;
Linux) Linux_greplog | print_ip ;;
Darwin) Darwin_greplog | print_ip ;;
esac
echo "#END_SSHBLOCK" >> ${DENYFILE}
case "$OS" in
SunOS) OLD_SIZE=`SunOS_size` ;;
Darwin) OLD_SIZE=`Darwin_size` ;;
FreeBSD) OLD_SIZE=`FreeBSD_size` ;;
OpenBSD) OLD_SIZE=`OpenBSD_size` ;;
Linux) OLD_SIZE=`Linux_size` ;;
esac
sleep ${SLEEP_TIME}
else
sleep ${SLEEP_TIME}
fi
done
) 2> /dev/null &