[Denyhosts-user] A useful script/crontab?

Sat, 27 Feb 2010 11:27:47 -0800 

I do a lot of work from my home connection to my servers, and sometimes I 
inadvertently try to ssh to my servers from a sudo -s session, triggering my 
denyhosts "hey, some bastard is trying to hack root" protections.

So, I created a little crontab entry since I can't find a whitelist feature in 
denyhosts and since my home IP address sometimes changes (so I can't simply 
stick my IP ahead of the denyhosts in hosts.allow)

/usr/local/bin/undenyhosts `dig cname.home.tld +short | grep "[0-9]"`

where cname.home.tld is a CNAME record I created pointing to a dynamic dns name 
assigned to my home connection. This way, no matter how stupid I may be, my 
home machine gets removed from the denyhosts list fairly quickly (more quickly 
than I could drive there and do it manually).

This relies on the undenyhosts script that I wrote, which may also be useful:

<<<EOF
#!/bin/sh
VERSION='1.1'

# Unlist an IP address from denyhosts

case $1 in

'')
   echo "undenyhosts $VERSION"
   echo "Usage: undenyhosts <ipaddress>"
;;

*)

   # Set to path to startup script
   # Commonly /etc/init.d/denyhosts
   #RCDENY='/etc/init.d/denyhosts'
   RCDENY='/usr/local/etc/rc.d/denyhosts'

   # Set to path to data dir
   # Commonly /var/lib/denyhosts
   #BEDENY='/var/lib/denyhosts'
   BEDENY='/usr/local/share/denyhosts/data'

   # Set to the full path to the hosts.deny file
   # Commonly /etc/hosts.deny
   #DENY='/etc/hosts.deny'
   DENY='/etc/hosts.deniedssh'

   # Is the IP address actually listed in denyhosts?

   ISDENY=`grep $1 $DENY`
   if [ "$ISDENY" ]; then
      # Stop denyhosts, redirect errors and output to /dev/null
      $RCDENY stop > /dev/null 2>&1
      # Comment out echos for silent output (crontab)
      echo "Purging $1 from $BEDENY, leaving .bak file"
      sed -i .bak "/$1/d" $BEDENY/*
      echo "Purging $1 from $DENY, leaving .bak file"
      sed -i .bak "/$1/d" $DENY

      # Restart denyhosts. Don't redirect output so that
      # any problems restarting it will cause an alert
      $RCDENY start

   else
      # Uncomment if only running from shell
      # Comment for silent output from crontab
      echo "$1 is not listed in $DENY"
   fi
esac

EOF


-- 
Updated to be PRCE compatible after 400 years: /(bb|[^b]{2})/ 


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Denyhosts-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/denyhosts-user

Reply via email to