On 06-Jul-06 Laurie Brown wrote:
Hi,
I could use a little help with some scripting. My perl/python is rudimentary, and bash not a lot better, but I'm sure this isn't too hard to do...
We get a lot (read thousands a day) of these lines in logs on all the machines we support, including our own:
Jul 6 16:53:24 xxx sshd[1628]: Invalid user chris from 202.202.43.110
It's a script kiddie trying to take advantage of an exploit in SSH. We use key-based authentication only, on SSH V2, so no real risk there, but it's annoying.
What I'd like to do is monitor the logs for such a line (or maybe three on the trot), and immediately do this:
/sbin/route add -host 202.202.43.110 reject
which will lock them out until a restart.
Any help appreciated!
Cheers, Laurie.
The following may perhaps be a bit simplistic for your purpose, but something on these lines might work for you.
tail -f -n 1 logfile | grep sshd | grep "Invalid user" | awk '{n=NF}; {if(n>1){{system( "/sbin/route add -host " $n " reject" )}}'
where "logfile" is the pathname of the file wehre your logs are sent.
This will take action each time -- and only then -- when you get a line with "sshd" and "invalid user" in it, on the assumption that any such line ends in an IP address. If this assumption does not hold, then you may need to be a bit more subtle about it.
Hoping this helps, Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@nessie.mcc.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 06-Jul-06 Time: 17:50:50 ------------------------------ XFMail ------------------------------