Register
It is currently Mon Dec 22, 2014 7:05 pm

Simple log watch script


All times are UTC - 6 hours


Post new topic Reply to topic  [ 7 posts ] 
Author Message
 PostPosted: Tue Jul 04, 2006 6:44 am   

Joined: Tue Jul 04, 2006 6:09 am
Posts: 3
Location: Denmark-Frederiksberg
Hi!

I would like to create a script to watch my vsftpd.log once pr minute to eventualy block any 'brute force' cracking attempts using iptables.

I june i had 37432 login attempts like this one:
Wed Jun 14 09:13:08 2006 [pid 21610] [Administrator] FAIL LOGIN: Client "61.9.150.64"

The funny thing is that there are no "Administrator" user on my system so the cracker can attempt as many times as he want :lol:

Back to the serious part:
I had in mind some script to run from the crontab looking in vsftpd.log maybe using 'tail -100' :? and then compare all 'FAIL LOGIN' where the ip-adresses occurs 5 times in a row and then block that ip using iptables just a 'dynamic' block would be nessesary (ie. no writing the rule permanently to the rule set)

The thing is that i have a relatively narrow userbase (approx 10 domainadmins all family or friends) and the ftp is mostly used by my users to update their sites. I'm currently running a Suse 9.0 free edition but soon to be a brand new (600 mhz :wink: ) "Ubuntu 6.06 LTS Server" On that occation would it be nice to be able to block the even more frequent 'brute force' cracking attempts! :x

Thank you for any assistance as i am not very good at writing bashscripts..

Regards
Jakob


Top
 Profile  
 PostPosted: Wed Jul 05, 2006 6:06 am   
User avatar

Joined: Mon Jul 03, 2006 8:58 pm
Posts: 52
Location: Rochester, NY
Are you looking for someone to write the script for you? Looking for an algorithm (sounds like you already have one)? Looking for validation that your plan is a good idea? Or looking for something else?

It seems to me you've pretty much got a handle on what you want and even to some extent on how you want to do it. The only thing missing is the top of the bash script
Code:
#!/bin/bash
###
# My simple cracker detector and banner script
# runs from crontab every 5 minutes
# compares the last 100 lines of the vsftp.log to find
# matches of 5 subsequent fails within those last 100 lines and activates a
# dynamic block in iptables (not a permanent rule)
###


Following that, you can start in with your
Code:
tail -100
command to capture the end of the file (probably redirecting the output to file or piping it to something like grep or awk).

I might do something like this (though my syntax may be incorrect for the awk part - reading the man page for awk would be useful if not boring):

Code:
tail -100 vsftp.log | grep 'FAIL LOGIN' | awk '{print $12}' | sort > /tmp/failedips
# read in /tmp/failedips and compare each entry to the next keeping count to 5 and
# banning that IP if the count of 5 is reached for a single IP address.


Unfortunately I don't know bash well enough to write the loop part that reads in the /tmp/failedips file and compares each value with the previously-stored one.

I'd actually write that part in a Perl script and call the Perl from this bash script. :D But that's just because I'm more comfortable with Perl for complicated bits of logic -- I know bash can do it and maybe someone else can help you out where I've left off.

Hope this helps!
[/code]


Top
 Profile WWW  
 PostPosted: Wed Jul 05, 2006 9:22 pm   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
I've got a script that does almost exactly what you're looking for, but for sshd instead of vsftpd. Are you just looking for hints? If so, which part do you need help with? If you like, I'll post the entire script and you can pick and choose the parts that you need.

Basically, it takes the entire log file (no tail, but that's easy to change) and parses it for a certain number of failures from a single IP address. Then it compares those addresses against a list of IPs that are already blocked. If it's not already blocked, it gets added to the block list.

Let me know if you want the whole script, or let us know which part you need help with.

-Jeo


Top
 Profile YIM  
 PostPosted: Wed Jul 05, 2006 11:47 pm   

Joined: Tue Jul 04, 2006 6:09 am
Posts: 3
Location: Denmark-Frederiksberg
I am basically looking for a sort of complete script that I can change for my particular needs :wink:
The problem with not using tail is that some of my users use Internet explorer for updating sites and it allways tries to login with "Anonymous" :roll: and if that fails then it asks for a user id and password. So if I would parse the complete log file they would get blocked. (As they over time will get multiple 'FAIL LOGIN' with user Anonymous)
But it would offcourse be much better just to compare the log line by line and then block if the IP-adress has 5 concurrent 'FAIL LOGIN' in a row. But I have absolutely no clue on how to do that!

Jeo if you would post your script? I think that I am able to change it to fit my needs.. I sounds like it is exactly what I need to get going 8)

Thank you very much for your replies :D I am now confident that it will be possible for me to get such a script..

/Jakob

P.S. Sorry for my bad English :oops:


Top
 Profile  
 PostPosted: Thu Jul 06, 2006 5:28 am   
User avatar

Joined: Mon Jul 03, 2006 8:58 pm
Posts: 52
Location: Rochester, NY
Jakob wrote:
The problem with not using tail is that some of my users use Internet explorer for updating sites and it allways tries to login with "Anonymous" Rolling Eyes and if that fails then it asks for a user id and password. So if I would parse the complete log file they would get blocked. (As they over time will get multiple 'FAIL LOGIN' with user Anonymous)


You can avoid counting those entries by checking to see if the user is "Anonymous" for all five entries in a sequence. If you have one "Anonymous" entry failure followed by a regular login success, then you know not to count that failure.


Top
 Profile WWW  
 PostPosted: Thu Jul 06, 2006 1:49 pm   
Moderator
User avatar

Joined: Wed May 03, 2006 2:05 pm
Posts: 242
Here's my script, unmodified. (Experts, be gentle, it's not nearly as efficient as it can be, it's a work in progress) Let me know if it helps, and please post your finished product so that we can see how you did it!

Code:
#!/bin/bash
########################################
##
##  Extra-simple brute force detection
##  script. Use at your own risk!
##
########################################

########################################
##
##  Set Variables here!
##
########################################

LOGFILE="/var/log/secure"
BLOCKLIST="/root/bin/firewall/block_list"
TMPFILE="/tmp/punkd.log"
MAX_TRY="10"
DELAY="20"
EMAIL="email@domain.com" # insert email address here for notifications
IPTABLES="/sbin/iptables"
TRUSTED_IPS="x.x.x.x/32" # insert trusted IPs here

########################################
##
##  First thing we need to do is clear
##  any existing rules, and insert ours
##
########################################


## Reset the firewall...
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F

## Open it up for the good guys
for trusted_ips in $TRUSTED_IPS; do
  $IPTABLES -A INPUT -s $trusted_ips -j ACCEPT
done

## Shut it down for the bad guys
for blocked_ip in $(cat $BLOCKLIST); do
  $IPTABLES -A INPUT -s $blocked_ip -j DROP
done


########################################
##
##  Here we use a "while" loop to keep
##  things rolling...
##
########################################

while true; do

########################################
##
##  Count the failures and make a temp
##  file in the format of:
##  <COUNT> <IPADDR>
##
##  May be able to eliminate temp file
##  working on that...
##
########################################

grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $TMPFILE


########################################
##
##  Use 'exec' to direct the output of
##  the tmpfile to 'read' in our next
##  loop
##
########################################

exec < $TMPFILE


########################################
##
##  Use 'read' to break out the ip and
##  the number of occurrences, check
##  for existence in block list, and
##  block if necessary
##
########################################

while read COUNT IPADDR ; do
  ## Check to see if the IP is already in the list
  PRE=$(grep $IPADDR $BLOCKLIST)

  ## If it's not in the list...
  if [ -z "$PRE" ]; then

    ## And it occurs greater than or equal to $MAX_TRY times...
    if [ "$COUNT" -ge "$MAX_TRY" ]; then

      ## We drop it into the block list...
      echo $IPADDR >> $BLOCKLIST

      ## Reset the firewall...
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -F

      ## Open it up for the good guys
      for trusted_ips in $TRUSTED_IPS; do
        $IPTABLES -A INPUT -s $trusted_ips -j ACCEPT
      done

      ## Shut it down for the bad guys
      for blocked_ip in $(cat $BLOCKLIST); do
        $IPTABLES -A INPUT -s $blocked_ip -j DROP
      done

      ## Email ourselves...
      echo "$IPADDR ($COUNT failures) is being added to the list" |
      mail $EMAIL -s "Auto-punkd - $IPADDR"

      ## And make a log entry.
      logger "$IPADDR ($COUNT failures) is being Auto-punkd"

    fi
  fi
done

########################################
##
## Sleep for $DELAY seconds, start over
##
########################################
sleep $DELAY
done


-Jeo


Top
 Profile YIM  
 PostPosted: Mon Jul 10, 2006 6:24 am   

Joined: Tue Jul 04, 2006 6:09 am
Posts: 3
Location: Denmark-Frederiksberg
Thank you i will dig into it just after my vacation :)


Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP