Bryan Phinney <[EMAIL PROTECTED]> writes:
> Here is a script I wrote to work around SSH probes. It is NOT elegant, very
> quick and dirtyish but it does seem to work and it can be run from a cron
> job fairly often without problems.
>
Hi Bryan, pretty cool, the only thing I would suggest is using Damian
Conways's Regexp::Common module in a Perl script to parse the IP address out.
Using cut doesn't 'cut it', as sometimes the line has more text in it than you
might be expecting. Here's the script I use, based as on the one you wrote,
as I've modified it.
---------------------------------
#!/bin/sh
cd /usr/local/sbin
#Optional, remove old entries
rm ./sshd_block/block.txt
#This will parse the messages file and extract the sshd lines
grep sshd /var/log/messages | grep Failed | ./get_ips | \
sort | uniq > ./sshd_block/block.txt
target=`cat ./sshd_block/block.txt`
for i in $target; do
echo ALL:$i >> /etc/hosts.deny
done
#remove extra entries from hosts.deny
cat /etc/hosts.deny | sort | uniq > /etc/hosts.new
cp /etc/hosts.new /etc/hosts.deny
---------------------------------
And here is the source for get_ips
---------------------------------
#!/usr/bin/perl
use Regexp::Common;
while(<>) {
if(/$RE{net}{IPv4}{dec}{-keep}/){
print "$1\n";
}
}
---------------------------------
I'm really glad you did your script. Until I read this thread, I had no idea
that anyone might have been trying to SSH into my machine, like some madman.
Turns out they have been, every night for weeks, (my bad), but now with my
modified script (based on your great contribution), they won't be doing it
more than once.
Thanks very much, my friend,
Dave in Largo, FL.
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
