#!/bin/sh # Sharpener v.2 # SSH brute force blocker and reporter tool running from cron # (c) 2006 J. Oquendo # sil @ infiltrated dot net # # I got tired of seeing questions posted on blocking brute force attempts. This was started as a small # project and was a clean 7 line script... However, I thought it would come in handy to give admins # the option of sharing information on brute force attempts. This information will be shared weekly # for others to use. Something akin to a "RBL" for brute force addresses. # # The theory behind this is, if enough addresses are accumulated, perhaps network engineers can # take a peek from time to time and see who if anyone on their network is attacking another # machine. # # On the backend side of this, should you uncomment the "mail to" portion of this script, addresses # will be taken, sorted, posted to a page, and an auto generated email will be sent to the attackers # provider and upstream. # # I made this for a Linux machine I administer and was tired of sifting through logs and having to # block out attackers... I post the data that is sent to my account to a specific webserver, then # on all machines I come in contact with, ,they all wget this file and add the offenders to their # lists too. Think of it as an all inclusive oddly managed "attacker repository" # # Tested on FC5, Scientific Linux, SuSE 10.1, FC3, NetBSD, FreeBSD. # # # Results mailed will be posted weekly at www.infiltrated.net/bruteforcers umask 022 if [ `whoami` != root ] then echo "This script needs to run under the root user" exit else tmpdir=`mktemp -d` awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}' /var/log/secure|sort -ru >> $tmpdir/hosts.deny diff /etc/hosts.deny $tmpdir/hosts.deny | awk '/\./ && />/{print $2}'|sed 's/::ffff://g' >> /etc/hosts.deny rm -rf $tmpdir OS=$( uname|sed -n '1p') # IPTables function... ifaddr=`ifconfig -a|awk '/inet/ && !/inet6/ && !/127.0/ && !/192.168/{print $2}'|sed 's/addr\://g'` function IPT { # Sanitized as per Tavis Ormandy's @ Gentoo note: # How does awk calculate the 13th column? It looks for white space # separated fields and counts to 13. # lets say a log entry looks like this: # date error username address # if I login with username "foobar" # Monday INVALID foobar 123.123.123.123 # 4th column is the address, now lets try logging in with username "foo `owned`" # Monday INVALID foo `owned` 123.123.123.123 # ... grep -E '(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[1-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){3}' /etc/hosts.deny|\ grep -vi [a-z]|sed 's/::ffff://g'|\ awk '!/#/&&/\./&&!a[$0]++ {print "iptables -A INPUT -s "$1" -i eth0 -d '$ifaddr' -p TCP --dport 22 -j REJECT"}'|\ awk '/iptables/&&!/#/&&!/-s -i/'|grep -v $ifaddr|sh } if [ $OS = Linux ] then IPT fi echo "Copying sharpener to /usr/local/bin" sed -n '1,80p' ./sharpener > /usr/local/bin/sharpener echo "fi" >> /usr/local/bin/sharpener wget -qO - infiltrated.net/sharpener|sed -n '112,117p' >> /usr/local/bin/sharpener rm ./sharpener ; chmod +x /usr/local/bin/sharpener sleep 2 echo "" echo "Adding Sharpener to cron" echo "0,10,20,30,40,50 * * * * /usr/local/bin/sharpener" if [ -e /var/spool/cron/root ] then echo "0,10,20,30,40,50 * * * * /usr/local/bin/sharpener" >> /var/spool/cron/root else if [ -e /var/cron/tabs/root ] then echo "0,10,20,30,40,50 * * * * /usr/local/bin/sharpener" >> /var/cron/tabs/root fi fi # The purpose of the following will be to maintain a list of known brute # forcer's IP addresses. This list will be summarized and posted weekly so that # others can add the offenders to their firewall rules and a report be generated # for the provider of the attacker awk '!/192.168/ && !/127./ && !/#/ && !/172.32/{print $1" has been blocked via SSH"}' /etc/hosts.deny |\ mail -s "Sharpener" sharpener@infiltrated.net fi