On Monday 07 November 2005 07:52 pm, Dan Abernathy wrote:
Hello all
I notice several automated break-in attempts appearing in /var/log/messages regarding sshd. A small sample:
Nov 7 14:34:10 d8400 sshd[18607]: Invalid user a from 71.129.198.189 Nov 7 14:34:11 d8400 sshd[18609]: Invalid user aaron from 71.129.198.189
Hundreds of entries like the above, working their way through every English letter using common first names, also names of services like Apache.
I ran across this Novell Cool Solutions article: http://www.novell.com/coolsolutions/trench/16341.html
It describes the use of a shell script, run once per minute using a cron job, that parses information from /var/log/messages and adds offending IP addresses to /etc/hosts.deny.
I saved the script as ssh-block.sh in my home folder, in a subdirectory named cronjobs. I used su to become root and ran crontab -e, and added the script to run once per minute.
Entries in /var/log/messages confirm that the shell script is indeed being run every minute, but the contents of /etc/hosts.deny hasn't changed at all, despite the presence of failed sshd log-ins (also written to /var/log/messages).
Can someone knowledgeable about shell scripts take a look at the URL above and see if there is a problem with the script? If not, what did I do incorrectly? What's the proper way to run this job regularly? I assume it must be run as root, both to read /var/log/messages and to write to /etc/hosts.deny.
Dan
Since you didn't give us your cron entry, I can only assume you used the full path to the script in the cron line.... Also, what are the permissions on the script? Did you chmod it for execution?