Re: SSH bruteforce on its way...

• Previous message: Volker Tanger: "SSH bruteforce on its way..."
• Maybe in reply to: Volker Tanger: "SSH bruteforce on its way..."
• Next in thread: jouser_at_gmail.com: "Re: SSH bruteforce on its way..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 19 Oct 2005 20:47:39 -0000
To: incidents@securityfocus.com

tail -n0 -F /var/log/auth.log |logflow.pl |awk -W interactive '{ print "sshd: "$1 }' >> /etc/hosts.deny 2>&1 &

and here is the logflow.pl...

#!/usr/bin/perl

use Regexp::Common qw /net/;

# ips that shouldn't be banned
@safe = ('192.168.51.1','1.2.3.4');

# number of illegal users received in 1 minute that will trigger a ban
$thresh = 4;

while (<STDIN>) {
 if ($_ !~ /Illegal user/) { next; }
 @line = split(' ', $_);
 @hourmin = split(':', @line[2]);
 if ("@line[0] @line[1] @hourmin[0] @hourmin[1] @line[9]" eq $remember && grep(/^@line[9]$/, @bans) eq 0 && @line[9] =~ /^$RE{net}{IPv4}$/) {
  $found++;
  if ($found eq ($thresh - 1)) {
   print "@line[9]\n";
   $| = 1;
   push(@bans, @line[9]);
  }
 } else {
  $found=0;
 }
 $remember = "@line[0] @line[1] @hourmin[0] @hourmin[1] @line[9]";
}

• Previous message: Volker Tanger: "SSH bruteforce on its way..."
• Maybe in reply to: Volker Tanger: "SSH bruteforce on its way..."
• Next in thread: jouser_at_gmail.com: "Re: SSH bruteforce on its way..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]