Chronosbox

Tag: script

Atualize o hosts.deny para bloquear tentativas de brute force

by Felipe 'chronos' Prenholato on 14:14, under Linux, Servidores

Ai embaixo um simples script para você bloquear hosts tentando brute force no seu SSH, muitas das vezes pode sanar o problema de ter uma porta diferente pro ssh :)

O script varre o /var/log/messages para detectar tentativas de invasão, pega os hosts, e adiciona no /etc/hosts.deny

Código:

#!/bin/bash</code>
 
cp /etc/hosts.deny /var/tmp/hosts.deny
 
# Jun  8 00:39:43 mintaka sshd[23332]: User root from 222.77.183.51 not allowed because not listed in AllowUsers
egrep "$(date +%b) ($(date +%d)|$(date +%e)).*User .* from [a-z0-9\.]* not allowed because not listed in AllowUsers" /var/log/messages | sed -e 's/.* from \([a-z0-9\.]*\) .*/\1/' | sort | uniq | sed -e 's/^/ALL:/' &gt; /etc/hosts.deny ;
#Jun  8 11:54:33 mintaka sshd[31221]: Invalid user bob from 62.204.145.224
egrep "$(date +%b) ($(date +%d)|$(date +%e)).*Invalid user .* from [a-z0-9\.]*$" /var/log/messages | sed -e 's/.*Invalid user .* from//' | sort | uniq | sed -e 's/^/ALL:/' &gt;&gt; /etc/hosts.deny ;
 
diff -u /etc/hosts.deny /var/tmp/hosts.deny &amp;&gt;/dev/null || (echo "** hosts.deny updated **" ; cat /etc/hosts.deny)

Script funcionando:

Sep 2 16:55:02 mintaka -- MARK --
Sep 2 13:58:10 mintaka sshd[20790]: Did not receive identification string from 189.2.118.72
Sep 2 13:58:34 mintaka sshd[20795]: Invalid user suporte from 189.2.118.72
# Tentativa de brute force
Sep 2 13:58:41 mintaka sshd[20798]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:43 mintaka sshd[20800]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:46 mintaka sshd[20802]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:49 mintaka sshd[20804]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:51 mintaka sshd[20806]: Invalid user suporte from 189.2.118.72
Sep 2 13:59:24 mintaka sshd[20817]: Did not receive identification string from 189.2.118.72
# Script roda
** hosts.deny updated **
ALL:74.221.239.100
ALL: 189.2.118.72
ALL: 200.27.79.101
ALL: 74.221.239.100
# E os hosts agora estão bloqueados
Sep 2 14:00:09 mintaka sshd[20826]: Invalid user teste2008 from 189.2.118.72
Sep 2 14:00:10 mintaka sshd[20864]: refused connect from 189.2.118.72 (189.2.118.72)

Eu rodo em minha máquina a cada 2 minutos :)

5 Comments :, , , , , more...

pingping – Verificando conexão com servidores.

by Felipe 'chronos' Prenholato on 12:28, under Dicas, Linux, Planet GentooBR, Servidores

Ai em baixo meu script pingping. Ele vai alertar os emails quando algum servidor parar. Leia ele :) .

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#!/bin/sh
# This script send ICMP requests for each server on SERVIDORES list and sends
# emails for emails in LISTA_EMAILS list why one of servers doesn't reply
# You only receive alerts if in last time that script request server we have a success reply
# or if we not tested server yet.
#
# Author: Felipe Rafael Prenholato - chronos@gentoobr.org
# IRC: nick chronos at irc.freenode.net
# Date: 21 de Junho de 2006.
#
# This script is under GPLv2. Read it at http://www.gnu.org/licenses/gpl-2.0.txt.
# Any changes please send me a mail :).
#
 
# IP or name of servers to test
SERVIDORES="elise prime odissey"
 
# emailo to send alerts
LISTA_EMAILS="chronos@gentoobr.org philipe_rp@yahoo.com.br"
 
# date format to send in email
data=$(date +"%T de %d/%m/%Y")
 
# this function sends ping
ping_server() {
 
local pingreturn
local serversts
local TMPFILE
local server
 
server=$1
TMPFILE="/tmp/ping_$server.tmp"
 
# Debug
#echo "Server: $server"
#echo "Temp file: $TMPFILE"
 
# ping and get return
ping -c3 $server &amp;>/dev/null;
pingreturn=$?;
 
# 0 means ok
if [ "$pingreturn" == "0" ]
then
echo "1" > $TMPFILE
fi
 
# 1 means problems
if [ "$pingreturn" == "1" ]
then
 
if ! [ -e $TMPFILE ]
then
echo "1" > $TMPFILE
fi
 
serversts=$(cat $TMPFILE)
 
# send mail if have problems
if [ "$serversts" == "1" ]
then
 
echo "0" > $TMPFILE
msg="Servidor $server fora do ar em $data. Contatar responsavéis."
ass="Servidor $server fora do ar."
LC_ALL="en_US.ISO-8859-1" echo "$msg" | mail -s "$ass" $LISTA_EMAILS
fi
 
fi
 
}
 
# roda ping_server para cada servidor.
for e in $(echo $SERVIDORES);
do
ping_server $e;
done

Ele precisa ser instalado em um servidor que possa pingar os demais e enviar emails. Versões antigas do postfix não vão funcionar, tem q suportar a opção -a no comando mail, seu uso é:

./script

Coloque ele para rodar no cron e fique numa boa :)

1 Comment :, , , , , more...

StatPress

Visits today: 24 Visits since 6 de abril de 2009: 7741 Visitors now: %visitoronline%