Register
It is currently Fri Oct 31, 2014 6:42 am

Security Notice Script


All times are UTC - 6 hours


Post new topic Reply to topic  [ 7 posts ] 
Author Message
 PostPosted: Sun Dec 17, 2006 3:04 pm   

Joined: Sun Dec 17, 2006 3:01 pm
Posts: 1
Im looking to write a script that will will notify me via email , and/or by printed reported when a certain user, logs in, tries to access a restricted directory, or when the user is trying to login and password has failed more than 3 consecutive times. Any help is greatly appreciated. Thanks in advance.


Top
 Profile  
 PostPosted: Tue May 08, 2007 11:14 am   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
Okay, I know this post is old, but I hate unanswered posts! In case anybody is sitll interested in an answer to this question, here's a script that I used to use to block IP's with excessive ssh login failures. You may need to change some things depending on what flavor of *NIX you run it on. In its current configuration, it should work on a RedHat Enterprise 3 system, and will add any IP address with 10 login failures (since the log was rotated, which was daily in my case) to a block list, and send an email notification.

I also had some firewall rules in there originally, but I cut them out for this exercise. It could be easily modified to get usernames as well, and you could use the log that it generates as your printed report! Let me know if it's useful.

Code:
#!/bin/bash
########################################
##
##  Jeo's login failure detection script.
##
########################################

########################################
##
##  Set Variables here!
##
########################################

LOGFILE="/var/log/secure"
TMPFILE="/tmp/punkd.log"
BLOCKLIST="/tmp/block_list"
MAX_TRY="10"
DELAY="20"
EMAIL="you@yourdomain.com"
TRUSTED_IPS=""

########################################
##
##  Here we use a "while" loop to keep
##  things rolling...
##
########################################

while true; do

########################################
##
##  Count the failures and make a
##  2 column tmp file in the format of:
##  <COUNT> <IPADDR>
##
########################################

grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $TMPFILE


########################################
##
##  Use 'exec' to direct the output of
##  the tmpfile to 'read' in our next
##  loop
##
########################################

exec < $TMPFILE


########################################
##
##  Use 'read' to break out the ip and
##  the number of occurrences, check
##  for existence in block list, and
##  block if necessary
##
########################################

while read COUNT IPADDR ; do
  ## Check to see if the IP is already in the list
  PRE=$(grep $IPADDR $BLOCKLIST)

  ## If it's not in the list...
  if [ -z "$PRE" ]; then

    ## And it occurs greater than or equal to $MAX_TRY times...
    if [ "$COUNT" -ge "$MAX_TRY" ]; then

      ## We drop it into the block list...
      echo $IPADDR >> $BLOCKLIST

      ## Email ourselves...
      echo "$IPADDR ($COUNT failures) is being added to the list" |
      mail $EMAIL -s "New Blocked IP - $IPADDR"

      ## And make a log entry.
      logger "$IPADDR ($COUNT failures) added to the block list"

    fi
  fi
done

########################################
##
## Sleep for $DELAY seconds, start over
##
########################################
sleep $DELAY
done


Top
 Profile YIM  
 PostPosted: Tue May 08, 2007 11:31 am   
Site Admin
User avatar

Joined: Sun May 15, 2005 9:36 pm
Posts: 669
Location: Des Moines, Iowa
Nice script. :)


Top
 Profile WWW  
 PostPosted: Tue May 08, 2007 12:52 pm   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
Thanks! I have a bunch of things like this lying around from back when I was doing web hosting :)

(/me goes to find more stuff to post to try to get more people back to the site ;)


Top
 Profile YIM  
 PostPosted: Fri May 11, 2007 11:16 am   
Site Admin
User avatar

Joined: Sun May 15, 2005 9:36 pm
Posts: 669
Location: Des Moines, Iowa
jeo wrote:
Thanks! I have a bunch of things like this lying around from back when I was doing web hosting :)

(/me goes to find more stuff to post to try to get more people back to the site ;)


:D ///////// just tar it up and send me your /Scripts dirctory :lol: ........ i'd be mia for weeks :D :D


Top
 Profile WWW  
 PostPosted: Wed Jun 20, 2007 8:20 am   

Joined: Wed Mar 28, 2007 8:31 am
Posts: 4
crouse wrote:
jeo wrote:
Thanks! I have a bunch of things like this lying around from back when I was doing web hosting :)

(/me goes to find more stuff to post to try to get more people back to the site ;)


:D ///////// just tar it up and send me your /Scripts dirctory :lol: ........ i'd be mia for weeks :D :D


That would make two of us. Is your webpage available to us knewbs?

:D


Top
 Profile YIM  
 PostPosted: Wed Jun 20, 2007 8:33 pm   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
I've got to find my old backups... A lot of the stuff I have is specific to the Plesk and Ensim control panels... My web site is something else that's been neglected... It's been "under construction" for about a year now :(


Top
 Profile YIM  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: Bing [Bot], Yahoo [Bot] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP