-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hace un tiempo, mantuvimos un hilo acerca de como securizar el servicio ssh. http://lists.suse.com/archive/suse-linux-s/2005-Jan/0113.html Me acuerdo que surgió la duda de cómo hacer que los usuarios ilegales fueran incluídos automáticamente en una lista negra; bien, pues hoy leyendo el grupo de news de security, he dado con esto:
#!/bin/csh
#Made by Jack-Benny, founder of cyberinfo.se, bluedogsecurity.cyberinfo.se #and linuxsecurity.cyberinfo.se #This is a script I wrote to automaticly block the SSH probes. #The code is pretty quick written and not fancy in anyway, but for #me it works like a dream! #If you find any bugs or have any improvments or suggestions #please drop me an e-mail: jake@cyberinfo.se
#A short explanation of how it works: #The script first uses grep to find the word Invalid in the #/var/log/messages file. #Then it takes field number 10 (Field separator is a whitespace) #wich is the IP number. #It then compares this to the "history" file and prints any new #IP's in the file new_ip. #Then the file new_ip is processed with sed ("old" IP's have #tab in front of them, "new" ones don't) #It is then written to file block_this and a black list (used #for backup purpose) #Finaly the new IP's are inserted to an IPTABLES command wich #blocks the IP access to port 22 #By the way: Sorry for the long lines, don't split them up, #it won't work if you do!!! #MUST BE RUN AS ROOT, it could also be a good idea to run it #in a separate directory as it genarates a lot of files...
touch hist_ip
START:
sleep 10 grep Invalid /var/log/messages > ips cat ips | awk '{ FS = " " } { print $10 | "uniq" }' | sort | uniq > ext_ip comm -1 hist_ip ext_ip > new_ip cat ips | awk '{ FS = " " } { print $10 | "uniq" }' | sort | uniq > hist_ip cat new_ip | sed -e '/^\t/d' > block_this cat block_this >> black_list.txt cat block_this | awk '{ system("iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP -s " $0 )}'
goto START
---End of code---
No lo he probado (ya tengo mi propio sistema de lista negra) y, además, no soy un experto en scripting y no entiendo todo el código, pero por lo que śe, tiene buena pinta. A ver si a alguien le es de utilidad. - -- ¡Share your knowledge! Linux user id 332494 # http://counter.li.org/ PGP id 0xC5ABA76A # http://pgp.mit.edu/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB9/oNVW601sWrp2oRAkhfAKCdmxlMetUC13gsmfiD13eJWrCCZQCfWpJp vc0TJmHtAAFF26RZh6wEfdA= =Tv6Y -----END PGP SIGNATURE-----