[K12OSN] OT: Break-In report

Rob Asher rasher at paragould.k12.ar.us
Wed Jan 2 18:06:32 UTC 2008


I hacked out a tcpwrappers script a long time ago that's similar in
function to 'denyhosts'.  It should be generic enough to work on most
distro's using 'hosts.allow'.  Just modify your 'hosts.allow' to
something like this:

# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#

### Pull Allowed SSH IP's from this file.
sshd : /etc/sshd.hosts : allow
###

### Deny anyone logged in the ssh.denial.log file already.
# ALL : /var/log/ssh.denial.log : twist /bin/echo "%h has been banned
from this server!"
ALL : /var/log/ssh.denial.log : DENY
###

### If we've made it this far, notify me and add the IP to the ban
list.
sshd : ALL : spawn (/etc/sshd-notify.sh %a %u %c %p) & : DENY
##################


Then create the /etc/sshd.hosts file and add in the allowed
IP's/subnets.  touch /var/log/ssh.denial.log and make the sshd-notify
script executable:


#!/bin/bash
##
## sshd-notify  
## System SSHD Connection Refused Notification Script
## Rob Asher - rasher at paragould.k12.ar.us
##
## Notifies administrator when a server SSHD Connection is Refused.
## Sends e-mail notification to the administrator
## when a SSHD Connection is Refused and logs the IP to a ban list
file.
##
PATH=/usr/sbin:/usr/bin:/bin

: ${4?"Usage: $0 IP Host User PID"}

#  Script exits here if command-line parameters absent,
#  with following error message:
#     sshd-notify.sh: 4: Usage: sshd-notify.sh IP Host User PID

MAILADDY="you at whereever.com" 

IN_IP=$1
USER=$2
#HOST=$3
HOST=`echo $3 | sed 's/^::[Ff]\{4\}://'`   #strip leading garbage added
by RHEL 4.x machines if host is an IP
PID=$4
DATE="`date`"
SERVERNAME="`uname -n`"
LOGFILE="/var/log/ssh.denial.log"

# fuction to remove leading garbage added to IP's on 4.x boxes
function cleanIP {
IP=`echo $1 | sed 's/^::[Ff]\{4\}://'`
}

cleanIP $IN_IP

mail -s "[$SERVERNAME] Security Report" $MAILADDY <<EOF
From: $0 on $SERVERNAME
To: $MAILADDY
Subject: Security Report from $SERVERNAME

TCP Wrappers: Connection Refused
Server: $SERVERNAME
Process: sshd (pid $PID)
User: $USER
Host: $HOST
IP: $IP
Date: $DATE


If this activity persists, please investigate further.

EOF

echo $IP >> $LOGFILE

exit 0
##############

There are a couple of things specific for RHEL/CentOS 4.x in the
script.  For some reason the IP always begins with "::ffff:" hence
removing it with sed.  I also have a cron job setup to clean out the
ssh.denial.log file periodically.  Maybe someone else will find these
scripts useful. :-)

Regards,
Rob



-------------------------------------
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169


>>> "Terrell Prudé Jr." <microman at cmosnetworks.com> 1/2/2008 11:22 AM
>>>

Craig White wrote:
> On Wed, 2008-01-02 at 10:49 -0600, Les Mikesell wrote:
>   
>> Michael Blinn wrote:
>>     
>>>  Not true. I use and recommend the package 'denyhosts' - Nice
little 
>>> python script that daemonizes to periodically check
/var/log/secure, 
>>> adding IPs from brute-force attackers to /etc/hosts.deny, then
emails me 
>>> its actions. You can also set an auto-expire time for those blocks.
I 
>>> love it.
>>>       
>> Which distribution includes that package?
>>     
> ----
> RHEL/CentOS (via rpmforge)
>
> # rpm -q denyhosts
> denyhosts-2.6-3.el5.rf
>
> Fedora
>
> base
>
> Craig
>
>   

Debian Etch definitely has denyhosts (I just checked mine), and I hear
(though haven't yet verified) that Ubuntu Feisty and later also has it.

I'll check that out on my Feisty box when I get to work.  However, I
do
have a Dapper box handy, so I just now verified that Dapper does *not*
have it, at least on PowerPC (fail2ban is there, though, so we still
win).

If your distro doesn't have it in the repositories, then just go here:

  http://denyhosts.sourceforge.net/ 

--TP
_______________________________
Do you GNU <http://www.gnu.org>?
Microsoft Free since 2003 <http://www.cmosnetworks.com>--the ultimate
antivirus protection!



-- 
This message has been scanned for viruses and dangerous content by The
MailScanner at the Paragould School District,
http://paragould.k12.ar.us, and is believed to be clean.





More information about the K12OSN mailing list