Re: [cobaltfacts] Attempted Attacks

Wed, 16 Mar 2005 09:42:26 -0800 

Sent: Wednesday, March 16, 2005 10:15 AM
Subject: Re: [cobaltfacts] Attempted Attacks



Is there a script that reads the auth file, looks for lines like
Failed password for admin from 62.193.235.117
and ten places that IP in hosts.deny ?

This might be a bit dangerous, what if you accidentally make a typo when logging
in, you will end up getting blocked yourself!


I could review the file and manually add the IPs,
but I'd rather have an automatic function.

How about the following script which you can run from cron as often as you like
(must be run as root)...

--- CUT FROM HERE ---

#!/bin/sh
TMPFILE1=`mktemp /tmp/badip1.XXXXXX` || exit 1
TMPFILE2=`mktemp /tmp/badip2.XXXXXX` || exit 1
grep "Invalid user" /var/log/auth | awk '{ print $10 }' >> ${TMPFILE1}
grep "Failed password" /var/log/auth | grep -v "invalid user" \
    | awk '{ print $11 }' >> ${TMPFILE1}
cat ${TMPFILE1} | sort | uniq > ${TMPFILE2}
cat /dev/null > ${TMPFILE1}
for IPS in $(cat ${TMPFILE2})
do
 if ! grep ${IPS} /etc/hosts.deny > /dev/null
 then
   HOST=`host ${IPS} 2> /dev/null | awk '{ print $5 }'`
   echo "${IPS}   (${HOST})"
 fi
done >> ${TMPFILE1}
if [ -s ${TMPFILE1} ]
then
 echo "Look at adding the following IP addresses to /etc/hosts.deny"
 echo "Add them by adding the line \"ALL : ip.add.re.ss\""
 echo ""
 cat ${TMPFILE1}
fi

--- CUT TO HERE ---

It will output any IP's that have been logged as trying an invalid user or
failed password and where the IP does not already exist in /etc/hosts.deny

It's not pretty, in fact I'll re-write it in Perl with some better error
checking when I have a moment.

Dan


whats nice about the hosts.allow file is you can also make a larger door by using a isp hostname too.
If you have other machines you could leave yourself a back door too.
ALL: my.isp.com
ALL: 123.123.123.
ALL: 123.123.123.0/255.255.255.0

Even nicer is using 1 file by putting this in the host.deny and then forget about it.
ALL: ALL
Though Port sentry will still add its blocks below the above.
But since the hosts.allow is defined they are already blocked. eg.. ftp ssh pop3

David 


_______________________________________________
Cobaltfacts site list
[email protected]
http://list.cobaltfacts.com/mailman/listinfo.cgi/cobaltfacts

Reply via email to