#!/bin/sh
# Ashtray
# Asterisk brute force watcher
# J. Oquendo sil @ infiltrated . net
# run from cron...
#
# NOTE:
# Some users may have to change their fields in awk depending on distro
# and logging.conf settings... Easiest way to test this, is to run this
# as a one liner and check the output before putting it in cron
# tested on FC5 & Debian and it worked fine... I don't advise you run
# this on a production machine until you've fully tested it against
# your own logs and system.

# uname -a
# Linux linuxbox 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386 GNU/Linux

# uname -a
# Linux voip.xxx.xxx 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686 i386 GNU/Linux
#
# And this concludes this month's horrible method of shell scripting...


logdir=`echo $HOME|sed -n '1p'`
ifaddr=`ifconfig eth0|sed -n '2p'|awk -F : '{print $2}'|awk '{print $1}'`
inface=`ifconfig eth0|sed -n '1p'|awk '{print $1}'`

# Keep a log of (l)users... easier to keep track of in
# case they're legit and I have to reinstate them....

tail -n 5000 /var/log/asterisk/messages|\
awk '/Username\/auth/{print $7,$10}'|\
grep "\."|sed 's/'\''//g'|sort -ru|\
awk '{print "User(s) with authentication issues "$1" from "$2}' >> $logdir/auth.issues.log


# Rinse and repeat... Now we block them... Note modified awk statement... This was
# to ensure that no one injects something into Asterisk forcing the machine to do
# something stupid like block itself...


tail -n 5000 /var/log/asterisk/messages|\
awk 'NF<=15&&($5=="Registration"||$9=="Failed")&&$14=="name"{print $11}'|\
sed 's/'\''//g'|grep "\."|sort -ru|grep -vi [a-z]|\
awk -vifaddr="$ifaddr" -vinface="$inface" '{print "iptables -A INPUT -s "$1" -i '$inface' -d '$ifaddr' -p IP -j REJECT"}'

# Keep track of and block wrong password users...
tail -n 1000 /var/log/asterisk/messages|\
awk '/Registration/&&/Wrong password/{print $1,$2,$7,$10}'|\
sed 's/'\''//g;s/@/ /g;s/<sip://g'|\
awk '{print $1,$2,$3,$5}' >> $logdir/wrong.passwords.log

# Rinse repeat... Now we block em
tail -n 5000 /var/log/asterisk/messages|\
awk 'NF<=15&&($5=="Registration"||$9=="Failed")&&$14=="name"{print $11}'|\
sed 's/'\''//g'|grep "\."|sort -u|grep -vi [a-z]|\
awk -vifaddr="$ifaddr" -vinface="$inface" '{print "iptables -A INPUT -s "$1" -i '$inface' -d '$ifaddr' -p IP -j REJECT"}'