Register
It is currently Fri Oct 24, 2014 6:01 am

SSH login failure script - need error checking


All times are UTC - 6 hours


Post new topic Reply to topic  [ 8 posts ] 
Author Message
 PostPosted: Mon Nov 10, 2008 5:38 pm   

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5
I need some form of error checking that can be stored in a file, from the script below. Wondering if you have any ideas that can help.

Thanks.



#!/bin/bash
########################################
##
## Bravo Red's login failure detection script.
##
########################################

########################################
##
## Set Variables here!
##
########################################

LOGFILE="/var/log/secure"
TMPFILE="/tmp/punkd.log"
BLOCKLIST="/tmp/block_list"
MAX_TRY="10"
DELAY="20"
EMAIL="administrator@bravo_red.com"
TRUSTED_IPS=""

########################################
##
## Here we use a "while" loop to keep
## things rolling...
##
########################################

while true; do

########################################
##
## Count the failures and make a
## 2 column tmp file in the format of:
## <COUNT> <IPADDR>
##
########################################

grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $TMPFILE


########################################
##
## Use 'exec' to direct the output of
## the tmpfile to 'read' in our next
## loop
##
########################################

exec < $TMPFILE


########################################
##
## Use 'read' to break out the ip and
## the number of occurrences, check
## for existence in block list, and
## block if necessary
##
########################################

while read COUNT IPADDR ; do
## Check to see if the IP is already in the list
PRE=$(grep $IPADDR $BLOCKLIST)

## If it's not in the list...
if [ -z "$PRE" ]; then

## And it occurs greater than or equal to $MAX_TRY times...
if [ "$COUNT" -ge "$MAX_TRY" ]; then

## We drop it into the block list...
echo $IPADDR >> $BLOCKLIST

## Email ourselves...
echo "$IPADDR ($COUNT failures) is being added to the list" |
mail $EMAIL -s "New Blocked IP - $IPADDR"

## And make a log entry.
logger "$IPADDR ($COUNT failures) added to the block list"

fi
fi
done

########################################
##
## Sleep for $DELAY seconds, start over
##
########################################
sleep $DELAY
done


Top
 Profile  
 PostPosted: Tue Nov 11, 2008 3:50 pm   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
OMG! I think I wrote that script!

I may be crazy... I may have gotten it from somebody else, modified it to fit my needs, and removed the credit (shame on me if that's the case...) I'm trying to find a reference to it somewhere to ease my mind... Where'd you find it? Here's mine:

Code:
[root@rowlf ~]# cat bin/punkd
#!/bin/bash
########################################
##
##  Extra-simple brute force detection
##  script. Use at your own risk!
##
########################################

########################################
##
##  Set Variables here!
##
########################################

LOGFILE="/var/log/secure"
BLOCKLIST="/root/bin/firewall/block_list"
TMPFILE="/tmp/punkd.log"
MAX_TRY="12"
DELAY="30"
EMAIL="x@x.com"
IPTABLES="/sbin/iptables"
TRUSTED_IPS="x.x.x.x/32"

########################################
##
##  First thing we need to do is clear
##  any existing rules, and insert ours
##
########################################


## Reset the firewall...
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F

## Open it up for the good guys
for trusted_ips in $TRUSTED_IPS; do
  $IPTABLES -A INPUT -s $trusted_ips -j ACCEPT
done

## Shut it down for the bad guys
for blocked_ip in $(cat $BLOCKLIST); do
  $IPTABLES -A INPUT -s $blocked_ip -j DROP
done


########################################
##
##  Here we use a "while" loop to keep
##  things rolling...
##
########################################

while true; do

########################################
##
##  Count the failures and make a temp
##  file in the format of:
##  <COUNT> <IPADDR>
##
##  May be able to eliminate temp file
##  working on that...
##
########################################

grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $TMPFILE


########################################
##
##  Use 'exec' to direct the output of
##  the tmpfile to 'read' in our next
##  loop
##
########################################

exec < $TMPFILE


########################################
##
##  Use 'read' to break out the ip and
##  the number of occurrences, check
##  for existence in block list, and
##  block if necessary
##
########################################

while read COUNT IPADDR ; do
  ## Check to see if the IP is already in the list
  PRE=$(grep $IPADDR $BLOCKLIST)

  ## If it's not in the list...
  if [ -z "$PRE" ]; then

    ## And it occurs greater than or equal to $MAX_TRY times...
    if [ "$COUNT" -ge "$MAX_TRY" ]; then

      ## We drop it into the block list...
      echo $IPADDR >> $BLOCKLIST

      ## Reset the firewall...
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -F

      ## Open it up for the good guys
      for trusted_ips in $TRUSTED_IPS; do
        $IPTABLES -A INPUT -s $trusted_ips -j ACCEPT
      done

      ## Shut it down for the bad guys
      for blocked_ip in $(cat $BLOCKLIST); do
        $IPTABLES -A INPUT -s $blocked_ip -j DROP
      done

      ## Email ourselves...
      echo "$IPADDR ($COUNT failures) is being added to the list" |
      mail $EMAIL -s "Auto-punkd - $IPADDR"

      ## And make a log entry.
      logger "$IPADDR ($COUNT failures) is being Auto-punkd"

    fi
  fi
done

########################################
##
## Sleep for $DELAY seconds, start over
##
########################################
sleep $DELAY
done


I just did a diff and it looks like that version is missing the actual firewall work, so it's just logging the IPs. Did I steal an existing script and add the firewall bits, or did somebody use my script and take out the firewall bits? I can't remember!!! I'll feel really bad if I used somebody else's code without giving them credit though... This was a while ago...

But anyway, what kind of error checking did you want? All that script does is store the IPs in a file.

-J


Top
 Profile YIM  
 PostPosted: Tue Nov 11, 2008 7:02 pm   

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5
Not sure, my mate gave it to me to modify for him. he mightve gotten it from somewhere but im not sure. I havent touched this script, its the same as what he gave me, however, i plan on doing a fair bit of modifying as well as adding a menu, and using error checking for user input..

eg. press 1 for...
press 2 for...
press 3 for...

So if the user presses 8, i need to work something out, maybe some kind of loop and notification to user.

Thanks.


Top
 Profile  
 PostPosted: Tue Nov 11, 2008 9:42 pm   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
Right on, that's relatively easy to do. I'd need to know more details about what you want it to do though. The two functions you'll want to look into are "read" and "case". You can do error checking in between those two if you're looking for something specific. A basic input type thing for what it sounds like you're doing would be:

Code:
echo "Press 1 for choice 1"
echo "Press 2 for choice 2"
echo "Press 3 for choice 3"
read -p "Choice: " choice

case $choice in
  1)  echo "yay for choice 1";;
  2)  echo "yay for choice 2";;
  3)  echo "yay for choice 3";;
  *)  echo "sorry... didn't recognize your response :("
esac


Have fun!
-J


Top
 Profile YIM  
 PostPosted: Thu Nov 13, 2008 1:08 am   

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5
i plan on doing the following for the menu:

echo "1) Press 1 to run script"
echo "2) Press 2 to view logfile"
echo "3) Press 3 to view output file"
echo "4) Press 4 to view blocklist"
echo 5) Press 5 to exit"
echo -n "Please make a selection: "
etc.
Ive looked into the read and case commands but they havent really given me the info i need to do some basic errorchecking. Any ideas?


Top
 Profile  
 PostPosted: Thu Nov 13, 2008 11:49 am   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
Right, depending on what kind of error checking you want, it'll come before the case statement. In my example, any unexpected input prints "sorry... didn't recognize your response :("

If you want, you can put the menu in a function that you can loop back to in the event of unexpected input. Something like:

Code:
menu () {
  echo "Press 1 for choice 1"
  echo "Press 2 for choice 2"
  echo "Press 3 for choice 3"
  echo "Press q to quit"
  read -p "Choice: " choice
}

menu
case $choice in
  1)  echo "yay for choice 1"
      ;;
  2)  echo "yay for choice 2"
      ;;
  3)  echo "yay for choice 3"
      ;;
  q)  echo "Buhbye!"
      exit
      ;;
  *)  echo "sorry... didn't recognize your response :("
      menu
      ;;
esac


oops... just noticed i left out a ';;' in my first example :)


Top
 Profile YIM  
 PostPosted: Thu Nov 13, 2008 7:06 pm   

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5
This is my script so far, i cant get it running as it is either giving me a syntax error near unexpected token '}' on line 44, or is giving me an unexpected end of file. I cant see what im doing wrong, if theres anything that looks wrong, please let me know.

Thanks. :lol:


#!/bin/bash

### List of functions
LOGFILE="/var/log/secure"
OUTPUTFILE="/home/ssh/log.txt"
BLOCKLIST="/home/ssh/blocklist.txt"
MAX_ATTEMPTS="5"
ACCEPTED_IPS= "172.16.0.1 172.16.0.2"

menu()
{
echo "1) Press 1 to run the script."
echo "2) Press 2 to view the logfile."
echo "3) Press 3 to view the output file."
echo "4) Press 4 to view the blocklist."
echo "5) Press 5 to exit."
echo -n "Please make a valid selection: "
read menu
case "$menu" in
1) runscript ;;
2) runlog ;;
3) lookout ;;
4)viewblock ;;
5) exitscript ;;
*) echo "\$menu\" is not a valid option." ;;
esac
}
runscript()
{
while true; do

### counts failures and makes a two column output file in the format of <count> <ipaddr>
grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $OUTPUTFILE

### directs output of $output file to 'read' in the next loop
exec < $OUTPUTFILE

### check to see if the IP address is already in the blocklist
while read count IPADDR; do
PRE=$(grep $IPADDR $BLOCKLIST)

### if it isnt in the list...
if [ -z "$PRE" ]; then

### and it occurs greater than or equal to $MAX_ATTEMPTS...
if ["$COUNT" -ge "$MAX_ATTEMPTS" ]; then

###we place it into the blocklist...
echo $IPADDR >> $BLOCKLIST

### and make a log entry.
logger "$IPADDR ($COUNT failures) added to the blocklist"
fi
fi
done
}
runlog()
{
cat $LOGFILE ###displays contents of /home/log/secure
}
lookout()
{
cat $OUTPUTFILE ### displays contents of /home/ssh/log.txt
}
viewblock()
{
cat $BLOCKLIST ### displays contents of /home/ssh/blocklist.txt
}
exitscript()
{
echo "Be sure to run this script again in the near future."
}
exit


Top
 Profile  
 PostPosted: Thu Nov 13, 2008 7:08 pm   

Joined: Mon Nov 10, 2008 5:33 pm
Posts: 5
sorry, forget the lack of indentation, but you get the idea...


Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP