BashScripts.org

It is currently Thu May 23, 2013 9:12 pm

SSH login failure script - need error checking

Board index » The Scripts » The Sandbox

All times are UTC - 6 hours

Page 1 of 1

[ 8 posts ]

Print view

Previous topic | Next topic

Author

Message

CoreyM

Posted: Mon Nov 10, 2008 5:38 pm

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5

I need some form of error checking that can be stored in a file, from the script below. Wondering if you have any ideas that can help.

Thanks.

#!/bin/bash
########################################
##
## Bravo Red's login failure detection script.
##
########################################

########################################
##
## Set Variables here!
##
########################################

LOGFILE="/var/log/secure"
TMPFILE="/tmp/punkd.log"
BLOCKLIST="/tmp/block_list"
MAX_TRY="10"
DELAY="20"
EMAIL="administrator@bravo_red.com"
TRUSTED_IPS=""

########################################
##
## Here we use a "while" loop to keep
## things rolling...
##
########################################

while true; do

########################################
##
## Count the failures and make a
## 2 column tmp file in the format of:
## <COUNT> <IPADDR>
##
########################################

grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $TMPFILE

########################################
##
## Use 'exec' to direct the output of
## the tmpfile to 'read' in our next
## loop
##
########################################

exec < $TMPFILE

########################################
##
## Use 'read' to break out the ip and
## the number of occurrences, check
## for existence in block list, and
## block if necessary
##
########################################

while read COUNT IPADDR ; do
## Check to see if the IP is already in the list
PRE=$(grep $IPADDR $BLOCKLIST)

## If it's not in the list...
if [ -z "$PRE" ]; then

## And it occurs greater than or equal to $MAX_TRY times...
if [ "$COUNT" -ge "$MAX_TRY" ]; then

## We drop it into the block list...
echo $IPADDR >> $BLOCKLIST

## Email ourselves...
echo "$IPADDR ($COUNT failures) is being added to the list" |
mail $EMAIL -s "New Blocked IP - $IPADDR"

## And make a log entry.
logger "$IPADDR ($COUNT failures) added to the block list"

fi
fi
done

########################################
##
## Sleep for $DELAY seconds, start over
##
########################################
sleep $DELAY
done

Top

jeo

Posted: Tue Nov 11, 2008 3:50 pm

Moderator

Joined: Wed May 03, 2006 2:05 pm
Posts: 242

OMG! I think I wrote that script!

I may be crazy... I may have gotten it from somebody else, modified it to fit my needs, and removed the credit (shame on me if that's the case...) I'm trying to find a reference to it somewhere to ease my mind... Where'd you find it? Here's mine:

Code:

[root@rowlf ~]# cat bin/punkd 
#!/bin/bash
########################################
##
##  Extra-simple brute force detection
##  script. Use at your own risk!
##
########################################

########################################
##
##  Set Variables here!
##
########################################

LOGFILE="/var/log/secure"
BLOCKLIST="/root/bin/firewall/block_list"
TMPFILE="/tmp/punkd.log"
MAX_TRY="12"
DELAY="30"
EMAIL="x@x.com"
IPTABLES="/sbin/iptables"
TRUSTED_IPS="x.x.x.x/32"

########################################
##
##  First thing we need to do is clear
##  any existing rules, and insert ours
##
########################################


## Reset the firewall...
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F

## Open it up for the good guys
for trusted_ips in $TRUSTED_IPS; do
  $IPTABLES -A INPUT -s $trusted_ips -j ACCEPT
done

## Shut it down for the bad guys
for blocked_ip in $(cat $BLOCKLIST); do
  $IPTABLES -A INPUT -s $blocked_ip -j DROP
done


########################################
##
##  Here we use a "while" loop to keep
##  things rolling...
##
########################################

while true; do

########################################
##
##  Count the failures and make a temp
##  file in the format of:
##  <COUNT> <IPADDR>
##
##  May be able to eliminate temp file
##  working on that...
##
########################################

grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $TMPFILE


########################################
##
##  Use 'exec' to direct the output of
##  the tmpfile to 'read' in our next
##  loop
##
########################################

exec < $TMPFILE


########################################
##
##  Use 'read' to break out the ip and
##  the number of occurrences, check
##  for existence in block list, and
##  block if necessary
##
########################################

while read COUNT IPADDR ; do
  ## Check to see if the IP is already in the list
  PRE=$(grep $IPADDR $BLOCKLIST)

  ## If it's not in the list...
  if [ -z "$PRE" ]; then

    ## And it occurs greater than or equal to $MAX_TRY times...
    if [ "$COUNT" -ge "$MAX_TRY" ]; then

      ## We drop it into the block list...
      echo $IPADDR >> $BLOCKLIST

      ## Reset the firewall...
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -F

      ## Open it up for the good guys
      for trusted_ips in $TRUSTED_IPS; do
        $IPTABLES -A INPUT -s $trusted_ips -j ACCEPT
      done

      ## Shut it down for the bad guys
      for blocked_ip in $(cat $BLOCKLIST); do
        $IPTABLES -A INPUT -s $blocked_ip -j DROP
      done

      ## Email ourselves...
      echo "$IPADDR ($COUNT failures) is being added to the list" |
      mail $EMAIL -s "Auto-punkd - $IPADDR"

      ## And make a log entry.
      logger "$IPADDR ($COUNT failures) is being Auto-punkd"

    fi
  fi
done

########################################
##
## Sleep for $DELAY seconds, start over
##
########################################
sleep $DELAY
done

I just did a diff and it looks like that version is missing the actual firewall work, so it's just logging the IPs. Did I steal an existing script and add the firewall bits, or did somebody use my script and take out the firewall bits? I can't remember!!! I'll feel really bad if I used somebody else's code without giving them credit though... This was a while ago...

But anyway, what kind of error checking did you want? All that script does is store the IPs in a file.

-J

Top

CoreyM

Posted: Tue Nov 11, 2008 7:02 pm

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5

Not sure, my mate gave it to me to modify for him. he mightve gotten it from somewhere but im not sure. I havent touched this script, its the same as what he gave me, however, i plan on doing a fair bit of modifying as well as adding a menu, and using error checking for user input..

eg. press 1 for...
press 2 for...
press 3 for...

So if the user presses 8, i need to work something out, maybe some kind of loop and notification to user.

Thanks.

Top

jeo

Posted: Tue Nov 11, 2008 9:42 pm

Moderator

Joined: Wed May 03, 2006 2:05 pm
Posts: 242

Right on, that's relatively easy to do. I'd need to know more details about what you want it to do though. The two functions you'll want to look into are "read" and "case". You can do error checking in between those two if you're looking for something specific. A basic input type thing for what it sounds like you're doing would be:

Code:

echo "Press 1 for choice 1"
echo "Press 2 for choice 2"
echo "Press 3 for choice 3"
read -p "Choice: " choice

case $choice in
  1)  echo "yay for choice 1";;
  2)  echo "yay for choice 2";;
  3)  echo "yay for choice 3";;
  *)  echo "sorry... didn't recognize your response :("
esac

Have fun!
-J

Top

CoreyM

Posted: Thu Nov 13, 2008 1:08 am

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5

i plan on doing the following for the menu:

echo "1) Press 1 to run script"
echo "2) Press 2 to view logfile"
echo "3) Press 3 to view output file"
echo "4) Press 4 to view blocklist"
echo 5) Press 5 to exit"
echo -n "Please make a selection: "
etc.
Ive looked into the read and case commands but they havent really given me the info i need to do some basic errorchecking. Any ideas?

Top

jeo

Posted: Thu Nov 13, 2008 11:49 am

Moderator

Joined: Wed May 03, 2006 2:05 pm
Posts: 242

Right, depending on what kind of error checking you want, it'll come before the case statement. In my example, any unexpected input prints "sorry... didn't recognize your response

"

If you want, you can put the menu in a function that you can loop back to in the event of unexpected input. Something like:

Code:

menu () {
  echo "Press 1 for choice 1"
  echo "Press 2 for choice 2"
  echo "Press 3 for choice 3"
  echo "Press q to quit"
  read -p "Choice: " choice
}

menu
case $choice in
  1)  echo "yay for choice 1"
      ;;
  2)  echo "yay for choice 2"
      ;;
  3)  echo "yay for choice 3"
      ;;
  q)  echo "Buhbye!"
      exit
      ;;
  *)  echo "sorry... didn't recognize your response :("
      menu
      ;;
esac

oops... just noticed i left out a ';;' in my first example

Top

CoreyM

Posted: Thu Nov 13, 2008 7:06 pm

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5

This is my script so far, i cant get it running as it is either giving me a syntax error near unexpected token '}' on line 44, or is giving me an unexpected end of file. I cant see what im doing wrong, if theres anything that looks wrong, please let me know.

Thanks. :lol:

#!/bin/bash

### List of functions
LOGFILE="/var/log/secure"
OUTPUTFILE="/home/ssh/log.txt"
BLOCKLIST="/home/ssh/blocklist.txt"
MAX_ATTEMPTS="5"
ACCEPTED_IPS= "172.16.0.1 172.16.0.2"

menu()
{
echo "1) Press 1 to run the script."
echo "2) Press 2 to view the logfile."
echo "3) Press 3 to view the output file."
echo "4) Press 4 to view the blocklist."
echo "5) Press 5 to exit."
echo -n "Please make a valid selection: "
read menu
case "$menu" in
1) runscript ;;
2) runlog ;;
3) lookout ;;
4)viewblock ;;
5) exitscript ;;
*) echo "\$menu\" is not a valid option." ;;
esac
}
runscript()
{
while true; do

### counts failures and makes a two column output file in the format of <count> <ipaddr>
grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $OUTPUTFILE

### directs output of $output file to 'read' in the next loop
exec < $OUTPUTFILE

### check to see if the IP address is already in the blocklist
while read count IPADDR; do
PRE=$(grep $IPADDR $BLOCKLIST)

### if it isnt in the list...
if [ -z "$PRE" ]; then

### and it occurs greater than or equal to $MAX_ATTEMPTS...
if ["$COUNT" -ge "$MAX_ATTEMPTS" ]; then

###we place it into the blocklist...
echo $IPADDR >> $BLOCKLIST

### and make a log entry.
logger "$IPADDR ($COUNT failures) added to the blocklist"
fi
fi
done
}
runlog()
{
cat $LOGFILE ###displays contents of /home/log/secure
}
lookout()
{
cat $OUTPUTFILE ### displays contents of /home/ssh/log.txt
}
viewblock()
{
cat $BLOCKLIST ### displays contents of /home/ssh/blocklist.txt
}
exitscript()
{
echo "Be sure to run this script again in the near future."
}
exit

Top

CoreyM

Posted: Thu Nov 13, 2008 7:08 pm

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5

sorry, forget the lack of indentation, but you get the idea...

Top

Page 1 of 1

[ 8 posts ]

Board index » The Scripts » The Sandbox

All times are UTC - 6 hours

Who is online

Users browsing this forum: No registered users and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

BashScripts | Promote Your Page Too

SSH login failure script - need error checking

Who is online