[K12OSN] OT: Break-In report
Rob Asher
rasher at paragould.k12.ar.us
Wed Jan 2 18:06:32 UTC 2008
I hacked out a tcpwrappers script a long time ago that's similar in
function to 'denyhosts'. It should be generic enough to work on most
distro's using 'hosts.allow'. Just modify your 'hosts.allow' to
something like this:
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
### Pull Allowed SSH IP's from this file.
sshd : /etc/sshd.hosts : allow
###
### Deny anyone logged in the ssh.denial.log file already.
# ALL : /var/log/ssh.denial.log : twist /bin/echo "%h has been banned
from this server!"
ALL : /var/log/ssh.denial.log : DENY
###
### If we've made it this far, notify me and add the IP to the ban
list.
sshd : ALL : spawn (/etc/sshd-notify.sh %a %u %c %p) & : DENY
##################
Then create the /etc/sshd.hosts file and add in the allowed
IP's/subnets. touch /var/log/ssh.denial.log and make the sshd-notify
script executable:
#!/bin/bash
##
## sshd-notify
## System SSHD Connection Refused Notification Script
## Rob Asher - rasher at paragould.k12.ar.us
##
## Notifies administrator when a server SSHD Connection is Refused.
## Sends e-mail notification to the administrator
## when a SSHD Connection is Refused and logs the IP to a ban list
file.
##
PATH=/usr/sbin:/usr/bin:/bin
: ${4?"Usage: $0 IP Host User PID"}
# Script exits here if command-line parameters absent,
# with following error message:
# sshd-notify.sh: 4: Usage: sshd-notify.sh IP Host User PID
MAILADDY="you at whereever.com"
IN_IP=$1
USER=$2
#HOST=$3
HOST=`echo $3 | sed 's/^::[Ff]\{4\}://'` #strip leading garbage added
by RHEL 4.x machines if host is an IP
PID=$4
DATE="`date`"
SERVERNAME="`uname -n`"
LOGFILE="/var/log/ssh.denial.log"
# fuction to remove leading garbage added to IP's on 4.x boxes
function cleanIP {
IP=`echo $1 | sed 's/^::[Ff]\{4\}://'`
}
cleanIP $IN_IP
mail -s "[$SERVERNAME] Security Report" $MAILADDY <<EOF
From: $0 on $SERVERNAME
To: $MAILADDY
Subject: Security Report from $SERVERNAME
TCP Wrappers: Connection Refused
Server: $SERVERNAME
Process: sshd (pid $PID)
User: $USER
Host: $HOST
IP: $IP
Date: $DATE
If this activity persists, please investigate further.
EOF
echo $IP >> $LOGFILE
exit 0
##############
There are a couple of things specific for RHEL/CentOS 4.x in the
script. For some reason the IP always begins with "::ffff:" hence
removing it with sed. I also have a cron job setup to clean out the
ssh.denial.log file periodically. Maybe someone else will find these
scripts useful. :-)
Regards,
Rob
-------------------------------------
Rob Asher
Network Systems Technician
Paragould School District
(870)236-7744 Ext. 169
>>> "Terrell Prudé Jr." <microman at cmosnetworks.com> 1/2/2008 11:22 AM
>>>
Craig White wrote:
> On Wed, 2008-01-02 at 10:49 -0600, Les Mikesell wrote:
>
>> Michael Blinn wrote:
>>
>>> Not true. I use and recommend the package 'denyhosts' - Nice
little
>>> python script that daemonizes to periodically check
/var/log/secure,
>>> adding IPs from brute-force attackers to /etc/hosts.deny, then
emails me
>>> its actions. You can also set an auto-expire time for those blocks.
I
>>> love it.
>>>
>> Which distribution includes that package?
>>
> ----
> RHEL/CentOS (via rpmforge)
>
> # rpm -q denyhosts
> denyhosts-2.6-3.el5.rf
>
> Fedora
>
> base
>
> Craig
>
>
Debian Etch definitely has denyhosts (I just checked mine), and I hear
(though haven't yet verified) that Ubuntu Feisty and later also has it.
I'll check that out on my Feisty box when I get to work. However, I
do
have a Dapper box handy, so I just now verified that Dapper does *not*
have it, at least on PowerPC (fail2ban is there, though, so we still
win).
If your distro doesn't have it in the repositories, then just go here:
http://denyhosts.sourceforge.net/
--TP
_______________________________
Do you GNU <http://www.gnu.org>?
Microsoft Free since 2003 <http://www.cmosnetworks.com>--the ultimate
antivirus protection!
--
This message has been scanned for viruses and dangerous content by The
MailScanner at the Paragould School District,
http://paragould.k12.ar.us, and is believed to be clean.
More information about the K12OSN
mailing list