Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Help, SSH /ipfw block script

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Help, SSH /ipfw block script
# 1  
Old 03-25-2012
Help, SSH /ipfw block script
Hello,

This is an SSH Block hammer script using ipfw, that I have modified for my own use. It is for a freenas 7.2 box which is FreeBSD based.

The script works, but if there is more then one hammer attack per day, my issue is the script reads the first five instances of refused or invalid users lines from the logs, not the most recent which is what I'd like it to do. Can some one better at scripting help me. The script is split into two searchs because of the need to parse the parentheses from the refused connections awk output.
TIA

DP

Script follows:
Code:
#!/bin/sh
#begin routine for refused connections
#del existing block rule
if ipfw show | awk '{print $1}' | grep -q 350 ; then
        ipfw delete 350
fi
#5 or more refused connections
awk '/refused/  {try[$(NF)]++}
END {for (h in try) if (try[h] > 5) print h}' /var/log/sshd.log |sed 's/[()]//g'|
while read ip
do
echo 'adding' $ip        
ipfw -q add 350 deny tcp from $ip to any in
done
#
#begin routine for invalid users
if ipfw show | awk '{print $1}' | grep -q 360 ; then
        ipfw delete 360
fi
awk '/Invalid user/ {try[$(NF)]++}
END {for (h in try) if (try[h] > 5) print h}' /var/log/sshd.log |
while read ip
do
echo 'adding' $ip        
ipfw -q add 360 deny tcp from $ip to any in
done

# 2  
Old 03-26-2012
This will pickup only the first IP appears more than 5 times as refused (or Invalid user) and block:

Code:
#!/bin/sh
#begin routine for refused connections
#del existing block rule
if ipfw show | awk '{print $1}' | grep -q 350 ; then
        ipfw delete 350
fi
#First with 5 or more refused/Invalid user connections
awk '/refused/&&++try[$NF]>5{gsub(/[)(]/,"",$NF); print $NF; exit}' /var/log/sshd.log |
while read ip
do
    echo 'adding' $ip        
    ipfw -q add 350 deny tcp from $ip to any in
done
#
#begin routine for invalid users
if ipfw show | awk '{print $1}' | grep -q 360 ; then
        ipfw delete 360
fi
awk '/Invalid user/&&++try[$NF]>5{gsub(/[)(]/,"",$NF); print $NF; exit}' /var/log/sshd.log |
while read ip
do
    echo 'adding' $ip        
    ipfw -q add 360 deny tcp from $ip to any in
done

Is this what you wanted or did you want first IP that appears more the 5 times as EITHER Reject or Invalid?
This User Gave Thanks to Chubler_XL For This Post:
dpreviti
# 3  
Old 03-26-2012
I'm an idiot. Needs over 5 duh..

Thanks
Last edited by dpreviti; 03-26-2012 at 11:33 AM.. Reason: needed more coffee this AM PEBKAC
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

How to have local shell variables in a ksh script seen on remove server in SSH block?

I have googled this and found many solutions, but none of them are working for me. I am in a korn shell, most others reference bsh, maybe that is the issue? Anyway, all I am trying to do is use a variable I have declared in my main script in a remote shell I am running through ssh. So I have a... (8 Replies)
Discussion started by: DJR
8 Replies

2. OS X (Apple)

How to enable ipfw.log?

Under Mountain Lion, I want logs from ipfw sent to ipfw.log instead of dumped in system.log I've tried to figure out how OSX handles logs, but... after going back and forth between a syslog.conf which does little if anything, a newsyslog.conf that seems to only handle rotation, an asl.conf that... (3 Replies)
Discussion started by: jnojr
3 Replies

3. Cybersecurity

pass syntax iptables to ipfw

Hello, excuse my English. Please could tell me how I can pass this syntax for iptables to ipfw. iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name thor --rdest -j ACCEPT iptables -A INPUT -p tcp -m tcp --tcp-flag RST RST -m state --state ESTABLISHED -m recent... (0 Replies)
Discussion started by: dot357
0 Replies

4. UNIX for Advanced & Expert Users

ipfw and dhcp

Hello, I have a little problem with my server configuration. So: I have two PC's with DHCP enable and both of them have two NIC's. PC1 - le0 ADSL PC1 - le1 192.168.10.1 PC2 - le0 192.168.10.10 PC2 - le1 192.168.20.1 One NIC on PC1 is connected to ADSL, another one have IP address... (3 Replies)
Discussion started by: mrowcp
3 Replies

5. BSD

Using several pipes in ipfw (dummynet)

Hi! I've already posted this on the freebsd-questions mailing list, but I thought I could try it here too. I'm using FreeBSD 7.0 with IPFW DUMMYNET enabled. I've got a problem with creating a ruleset, which allows me to limit the overall bandwidth of a link and afterwards pass the packets... (0 Replies)
Discussion started by: xenator
0 Replies

6. Cybersecurity

FreeBSD IPFW Rules clarification please...

Hello. I hope you can help me please. We are about to bring a few servers online which will be hosting different things... For one server, it will be hosting a HTTPd, and just wanted to know whether these rules are correct that I have? To ensure the right interfaces etc, here's a copy of... (1 Reply)
Discussion started by: DanUK
1 Replies

7. UNIX for Dummies Questions & Answers

Need help with IPFW.. Please...

Hi folks, I am a Mac User, and have little knowledge on IPFW. I have a set up at home where my computer (with 2 ethernet cards and static IP adresses) serves Internet to my family's computers. I have already a script that will run automatically at login and called from Cron at certain... (2 Replies)
Discussion started by: fundidor
2 Replies

8. BSD

ipfw slow ssh and ftp connections

just as the title says. thanks. #General Rule Sets /sbin/ipfw add 0300 check-state /sbin/ipfw add 0301 deny tcp from any to any in established /sbin/ipfw add 0302 pass tcp from any to any out setup keep-state /sbin/ipfw add 0303 pass udp from any to any out #SSH FTP /sbin/ipfw add 0400... (11 Replies)
Discussion started by: dwildgoose
11 Replies

9. Cybersecurity

ipfw directives and order of precidence...

Is there a general rule I can apply when examining/editing ipfw entries? Also, does each new entry have to have a unique rule number? And, I think I can write a script to block code red infected machines (though I'm not sure it would do more than slim down my web server error message log),... (0 Replies)
Discussion started by: [MA]Flying_Meat
0 Replies

10. UNIX for Dummies Questions & Answers

fBSD nat ipfw

i am running nat on my freeBSD and web/ftp server. The rule allow ip from any to any must always be? or how? if i accept all packets to go on my ep0 which diverts all to my intranet it doesnt help, must the rule allow ip from any to any always be ? even if many rules are between divert rule and... (3 Replies)
Discussion started by: hachik
3 Replies
Login or Register to Ask a Question