Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

sshmonitor 0.3

2 views
Skip to first unread message

Nigel Horne

unread,
May 13, 2005, 5:18:30 PM5/13/05
to
#!/usr/bin/perl -wT

# Copyright (C) 2005 Nigel Horne <n...@despammed.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# For a copy of the licence for this software, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

# sshmonitor 0.3
# Deny persistent attempts at cracking a site with ssh
# 13/5/05: Catch entries such as Failed password for root from
#
# Install in /usr/local/sbin/sshmonitor and start thus (in /etc/rc.local):
# /usr/local/sbin/sshmonitor >> /var/log/secure 2>&1 &
# though it would be better to use syslog

use strict;
use IO::Handle;
use NetAddr::IP;

my $log = '/var/log/secure'; # Redhat/Fedora
my $deny = '/etc/hosts.deny';
my $checktime = 5; # How often to check $log
my $localnet = new NetAddr::IP("192.168.1.0/24");
my $triggerlevel = 5; # Grace login failures that we allow

open(LOG, "$log") or die "tail $log: $!\n";

my %blacklist = ();

for(;;) {
my $ip;
my $anynew = 0;

LINE: while(<LOG>) {
if((/: Invalid user .+ from (.+)\n/) ||
(/: Failed password for .+ from (.+?)\s.+\n/)) {
next LINE if($1 =~ /^127.0.0./);

my $me = new NetAddr::IP($1);

next LINE if($me->within($localnet));

$ip = $1;

open(DENY, "<$deny") or die "$deny: $!\n";
foreach(<DENY>) {
if(/$ip/) {
close DENY;
delete $blacklist{$ip};
next LINE;
}
}
close(DENY);
$anynew = 1;
$blacklist{$ip}++;
}

}
if($anynew) {
my $count;
open(DENY, ">>$deny") or die "$deny: $!\n";
while(($ip, $count) = each(%blacklist)) {
if($count >= $triggerlevel) {
print DENY "sshd: $ip\n";
print "Added $ip (" . $count . " attempts)\n";
delete $blacklist{$ip};
}
}
close(DENY);
}
sleep $checktime;
LOG->clearerr();
}

PlusNet Support Team

unread,
Aug 8, 2005, 5:25:46 AM8/8/05
to

"Nigel Horne" <n...@despammed.com> wrote in message
news:pan.2005.05.13....@despammed.com...

<snip>

Hi Nigel,

I'm replying to your post as a test in response to your post in
force9.service.customer-feedback

--
Regards,

| Dave Tomlinson Broadband Solutions For
| Technical Support for Home & Business
| PlusNet plc @ http://www.plus.net
+ ----- My Referrals - It pays to recommend PlusNet -----


0 new messages