Mailinglist Archive: opensuse-es (1343 mails)
| < Previous | Next > |
Script de bloqueo para usuarios ilegales del servicio SSH
- From: Aquiles <aquiles4@xxxxxxxxxxxx>
- Date: Wed, 26 Jan 2005 21:14:00 +0100
- Message-id: <200501262114.05839.aquiles4@xxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hace un tiempo, mantuvimos un hilo acerca de como securizar el servicio ssh.
http://lists.suse.com/archive/suse-linux-s/2005-Jan/0113.html
Me acuerdo que surgió la duda de cómo hacer que los usuarios ilegales fueran incluídos automáticamente en una lista negra; bien, pues hoy leyendo el grupo de news de security, he dado con esto:
>#!/bin/csh
>
>#Made by Jack-Benny, founder of cyberinfo.se, bluedogsecurity.cyberinfo.se
>#and linuxsecurity.cyberinfo.se
>#This is a script I wrote to automaticly block the SSH probes.
>#The code is pretty quick written and not fancy in anyway, but for
>#me it works like a dream!
>#If you find any bugs or have any improvments or suggestions
>#please drop me an e-mail: jake@xxxxxxxxxxxx
>
>#A short explanation of how it works:
>#The script first uses grep to find the word Invalid in the
>#/var/log/messages file.
>#Then it takes field number 10 (Field separator is a whitespace)
>#wich is the IP number.
>#It then compares this to the "history" file and prints any new
>#IP's in the file new_ip.
>#Then the file new_ip is processed with sed ("old" IP's have
>#tab in front of them, "new" ones don't)
>#It is then written to file block_this and a black list (used
>#for backup purpose)
>#Finaly the new IP's are inserted to an IPTABLES command wich
>#blocks the IP access to port 22
>#By the way: Sorry for the long lines, don't split them up,
>#it won't work if you do!!!
>#MUST BE RUN AS ROOT, it could also be a good idea to run it
>#in a separate directory as it genarates a lot of files...
>
>
>touch hist_ip
>
>START:
>
> sleep 10
> grep Invalid /var/log/messages > ips
> cat ips | awk '{ FS = " " } { print $10 | "uniq" }' | sort | uniq > ext_ip
> comm -1 hist_ip ext_ip > new_ip
> cat ips | awk '{ FS = " " } { print $10 | "uniq" }' | sort | uniq > hist_ip
> cat new_ip | sed -e '/^\t/d' > block_this
> cat block_this >> black_list.txt
> cat block_this | awk '{ system("iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP -s " $0 )}'
>
>goto START
>
>
>---End of code---
No lo he probado (ya tengo mi propio sistema de lista negra) y, además, no soy un experto en scripting y no entiendo todo el código, pero por lo que śe, tiene buena pinta.
A ver si a alguien le es de utilidad.
- --
¡Share your knowledge!
Linux user id 332494 # http://counter.li.org/
PGP id 0xC5ABA76A # http://pgp.mit.edu/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB9/oNVW601sWrp2oRAkhfAKCdmxlMetUC13gsmfiD13eJWrCCZQCfWpJp
vc0TJmHtAAFF26RZh6wEfdA=
=Tv6Y
-----END PGP SIGNATURE-----
Hash: SHA1
Hace un tiempo, mantuvimos un hilo acerca de como securizar el servicio ssh.
http://lists.suse.com/archive/suse-linux-s/2005-Jan/0113.html
Me acuerdo que surgió la duda de cómo hacer que los usuarios ilegales fueran incluídos automáticamente en una lista negra; bien, pues hoy leyendo el grupo de news de security, he dado con esto:
>#!/bin/csh
>
>#Made by Jack-Benny, founder of cyberinfo.se, bluedogsecurity.cyberinfo.se
>#and linuxsecurity.cyberinfo.se
>#This is a script I wrote to automaticly block the SSH probes.
>#The code is pretty quick written and not fancy in anyway, but for
>#me it works like a dream!
>#If you find any bugs or have any improvments or suggestions
>#please drop me an e-mail: jake@xxxxxxxxxxxx
>
>#A short explanation of how it works:
>#The script first uses grep to find the word Invalid in the
>#/var/log/messages file.
>#Then it takes field number 10 (Field separator is a whitespace)
>#wich is the IP number.
>#It then compares this to the "history" file and prints any new
>#IP's in the file new_ip.
>#Then the file new_ip is processed with sed ("old" IP's have
>#tab in front of them, "new" ones don't)
>#It is then written to file block_this and a black list (used
>#for backup purpose)
>#Finaly the new IP's are inserted to an IPTABLES command wich
>#blocks the IP access to port 22
>#By the way: Sorry for the long lines, don't split them up,
>#it won't work if you do!!!
>#MUST BE RUN AS ROOT, it could also be a good idea to run it
>#in a separate directory as it genarates a lot of files...
>
>
>touch hist_ip
>
>START:
>
> sleep 10
> grep Invalid /var/log/messages > ips
> cat ips | awk '{ FS = " " } { print $10 | "uniq" }' | sort | uniq > ext_ip
> comm -1 hist_ip ext_ip > new_ip
> cat ips | awk '{ FS = " " } { print $10 | "uniq" }' | sort | uniq > hist_ip
> cat new_ip | sed -e '/^\t/d' > block_this
> cat block_this >> black_list.txt
> cat block_this | awk '{ system("iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP -s " $0 )}'
>
>goto START
>
>
>---End of code---
No lo he probado (ya tengo mi propio sistema de lista negra) y, además, no soy un experto en scripting y no entiendo todo el código, pero por lo que śe, tiene buena pinta.
A ver si a alguien le es de utilidad.
- --
¡Share your knowledge!
Linux user id 332494 # http://counter.li.org/
PGP id 0xC5ABA76A # http://pgp.mit.edu/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB9/oNVW601sWrp2oRAkhfAKCdmxlMetUC13gsmfiD13eJWrCCZQCfWpJp
vc0TJmHtAAFF26RZh6wEfdA=
=Tv6Y
-----END PGP SIGNATURE-----
| < Previous | Next > |