First push of files

README

@@ -0,0 +1,57 @@
+SSH Block 2
+
+I am glad to announce version 2 of the SSH Block script!
+Version two contains many improvments over the earlier versions.
+
+A quick list with the best of version two:
+- Total re-write of the code
+- No more catting back and forth thruogh the script
+- No more strange temp files in /Var/state/ssh_block
+- ONE scriptfile for all system (Linux, FreeBSD, Solaris and Mac OS X)
+- No more un-neccesary grepping. The script only "greps" if the size of the
+log file has changed. This way it uses less system recuorces.
+- The blocked IP's are now inserted directly into hosts.deny
+
+I came up with ideea of making a version two since I made the port to Solaris
+and Mac OS X. I liked the code that came out of these two ports. Later on I
+started thinking about what can be done about the script re-writing 
+the hosts.deny file every 10 second. So for this I added the logfile size check.
+And I didn't like having 4 diffrent versions (5 if you count the iptable 
+version) of the script. So I made a "One for all" version.
+
+I hope version two of SSH Block will be appreciated both among version one users
+aswell as among new users.
+
+Please drop me an e-mail with comments, bugs, improvments or just about 
+anything!
+
+This is the new SSH Block, simply called sshblock2.
+It sould run out of the box on FreeBSD, Mac OS X, Linux and Solaris, though
+there are some extra steps to make it work with Solaris (since TCP Wrappers
+arn't enabled by default and no logging is done.)
+
+
+NOTE TO SOLARIS USERS
+
+There are some things you have to do to your system before this script
+will acually work under Solaris.
+To start with, TCP Wrappers is not enabled by default on Solaris 10. How to
+enable TCP Wrappers and some info about it can be found here:
+http://www.sun.com/bigadmin/content/submitted/tcp_wrap_solaris10.html
+
+Second, you have to enable syslog logging of the ssh daemon. This is done by
+editing /etc/syslog.conf.
+Adding the following line will have sshd logging to /var/log/authlog
+
+auth.info /var/log/authlog
+
+Now you can run the script (as root) and it will block IP numbers of probing
+hosts. The scripts will add this hosts to your /etc/hosts.deny file like this:
+
+#BEGIN_SSHBLOCK
+sshd : 192.168.0.1
+sshd : 10.0.0.3
+#END_SSHBLOCK
+
+I would recommend to backup your /etc/hosts.deny and your /etc/syslog.conf
+before making changes and running the script.

sshblock2.sh

@@ -0,0 +1,216 @@
+#!/bin/bash
+
+################################################################################
+#                                                                              #
+#  Copyright (C) 2006 Jack-Benny Persson <jake@cyberinfo.se>                   #
+#                                                                              #
+#   This program is free software; you can redistribute it and/or modify       #
+#   it under the terms of the GNU General Public License as published by       #
+#   the Free Software Foundation; either version 2 of the License, or          #
+#   (at your option) any later version.                                        #
+#                                                                              #
+#   This program is distributed in the hope that it will be useful,            #
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of             #
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the              #
+#   GNU General Public License for more details.                               #
+#                                                                              #
+#   You should have received a copy of the GNU General Public License          #
+#   along with this program; if not, write to the Free Software                #
+#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA  #
+#                                                                              #
+################################################################################
+
+# Version 2.3
+#
+# SSH Block 2 - A script that blocks SSH probing hosts in /etc/hosts.deny
+# This is version two of SSH Block, wich is a total re-write of the original
+# code. This version should work on Linux, FreeBSD, Solaris and Mac OS X.
+# Please read the README file for more information.
+
+#If these users are trying to login via SSH, the host is instantly blocked.
+#Be careful not to add users that normaly login via SSH here...
+BLOCK_USERS=("mysql" "nobody")
+
+SLEEP_TIME=10
+OS=`uname`
+
+if [ "$OS" = "FreeBSD" ]; then
+        DENYFILE="/etc/hosts.allow" #Both allow and deny in one file on FreeBSD
+elif [ "$OS" != "FreeBSD" ]; then
+        DENYFILE="/etc/hosts.deny" #The default way...
+fi
+
+
+if [ "$UID" -ne 0 ]; then
+        echo "Must be run as root"
+        exit 2
+fi
+
+#The default way...
+print_ip()
+{
+        sort | uniq | sed -e 's/^/sshd : /' >> ${DENYFILE}
+}
+
+#The FreeBSD way...
+print_ip_freebsd()
+{
+        sort | uniq | sed -e 's/^/sshd : /' | sed -e 's/$/ : deny/' >> \
+        ${DENYFILE}
+}
+
+#Diffrent logfiles with diffrent syntax on diffrent systems...
+SunOS_greplog()
+{
+        grep sshd /var/log/authlog | grep 'invalid user' \
+        | awk '{print $15}' - | sort | uniq
+
+        for i in ${BLOCK_USERS[*]}; do grep \
+        "Failed keyboard-interactive for $i from" \
+        /var/log/authlog; done | awk '{print $14}' - | sort | uniq
+}
+
+FreeBSD_greplog()
+{
+        (grep 'Illegal user' /var/log/auth.log || \
+        grep 'Invalid user' /var/log/auth.log) \
+        | awk '{print $10}' - | sort | uniq
+        
+        for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \
+        /var/log/auth.log; done | awk '{print $11}' - | sort | uniq
+}
+
+OpenBSD_greplog()
+{
+        grep 'Invalid user' /var/log/authlog \
+        | awk '{print $10}' - | sort | uniq
+        
+        for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \
+        /var/log/authlog; done | awk '{print $11}' - | sort | uniq
+}
+
+Linux_greplog()
+{
+        (grep '[Ii]nvalid user' /var/log/messages || \
+        grep '[Ii]nvalid user' /var/log/auth.log || \
+        grep '[Ii]llegal user' /var/log/secure || \
+        grep '[Ii]llegal user' /var/log/messages || \
+        grep '[Ii]nvalid user' /var/log/secure) \
+        | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' - | sort | uniq
+
+        for i in ${BLOCK_USERS[*]}; do grep \
+        "Authentication failure for $i from" \
+        /var/log/messages; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \
+        - | sort | uniq
+        
+        for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \
+        /var/log/messages; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \
+        - | sort | uniq
+
+        for i in ${BLOCK_USERS[*]}; do grep "Failed password for $i from" \
+        /var/log/auth.log; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \
+        - | sort | uniq
+        
+        for i in ${BLOCK_USERS[*]}; do grep \
+        "Authentication failure for $i from" \
+        /var/log/secure; done | egrep -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' \
+        - | sort | uniq
+}
+
+Darwin_greplog()
+{
+        grep sshd /var/log/system.log | grep 'illegal user' \
+        | awk '{print $15}' - | sort | uniq
+
+        for i in ${BLOCK_USERS[*]}; do grep \
+        "Authentication failure for $i from" \
+        /var/log/system.log; done |  - | awk '{print $13}' sort | uniq
+
+}
+
+SunOS_size() 
+{ 
+        ls -l /var/log/authlog | awk '{print $5}' 
+}
+
+Darwin_size() 
+{ 
+        ls -l /var/log/system.log | awk '{print $5}' 
+}
+
+FreeBSD_size() 
+{ 
+        ls -l /var/log/auth.log | awk '{print $5}' 
+}
+
+OpenBSD_size() 
+{ 
+        ls -l /var/log/authlog | awk '{print $5}' 
+}
+
+Linux_size()
+{
+        if [ -e /var/log/secure ] && [ -e /var/log/messages ]; then
+                A=`ls -l /var/log/secure | awk '{print $5}'`
+                B=`ls -l /var/log/messages | awk '{print $5}'`
+                let C=A+B
+                echo $C
+        elif [ -e /var/log/secure ]; then
+                ls -l /var/log/secure | awk '{print $5}'
+        elif [ -e /var/log/messages ]; then
+                ls -l /var/log/messages | awk '{print $5}'
+        fi
+}
+
+touch ${DENYFILE}
+
+#Check if we have run SSH Block before....
+RUN_BEFORE=`grep -c "#BEGIN_SSHBLOCK" ${DENYFILE}`
+if [ $RUN_BEFORE -gt 0 ]; then
+        echo "/#BEGIN_SSHBLOCK/,/#END_SSHBLOCK/d|x" \
+        | ex -s ${DENYFILE}
+fi
+
+OLD_SIZE=0
+
+#Here we go!
+(
+while true
+do
+        case "$OS" in
+                SunOS) SIZE=`SunOS_size` ;;
+                Darwin) SIZE=`Darwin_size` ;;
+                FreeBSD) SIZE=`FreeBSD_size` ;;
+                OpenBSD) SIZE=`OpenBSD_size` ;;
+                Linux) SIZE=`Linux_size` ;;
+        esac
+        if [ $OLD_SIZE -ne $SIZE ]; then
+                
+                BLOCK_EXIST=`grep -c "#BEGIN_SSHBLOCK" ${DENYFILE}`
+                if [ $BLOCK_EXIST -gt 0 ]; then
+                        echo "/#BEGIN_SSHBLOCK/,/#END_SSHBLOCK/d|x" \
+                        | ex -s ${DENYFILE}
+                fi
+                
+                echo "#BEGIN_SSHBLOCK" >> ${DENYFILE}
+                case "$OS" in
+                        SunOS) SunOS_greplog | print_ip ;;
+                        FreeBSD) FreeBSD_greplog | print_ip_freebsd ;;
+                        OpenBSD) OpenBSD_greplog | print_ip ;;
+                        Linux) Linux_greplog | print_ip ;;
+                        Darwin) Darwin_greplog | print_ip ;;
+                esac
+                echo "#END_SSHBLOCK" >> ${DENYFILE}
+                case "$OS" in
+                        SunOS) OLD_SIZE=`SunOS_size` ;;
+                        Darwin) OLD_SIZE=`Darwin_size` ;;
+                        FreeBSD) OLD_SIZE=`FreeBSD_size` ;;
+                        OpenBSD) OLD_SIZE=`OpenBSD_size` ;;
+                        Linux) OLD_SIZE=`Linux_size` ;;
+                esac
+                sleep ${SLEEP_TIME}
+        else
+                sleep ${SLEEP_TIME}
+        fi
+done
+) 2> /dev/null &