# Awk script: killit_plugin # Copyright (c) 2008-2015 David R. Forrest (Forrest) # # Permission to use, copy, modify, and distribute this material # for any purpose and without fee is hereby granted, provided # that the above copyright notice and this permission notice # appear in all copies, and that the name of Forrest not be # used in advertising or publicity pertaining to this # material without the specific, prior written permission # of an authorized representative of Forrest. FORREST # MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY # OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED "AS IS", # WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. # # awk program that checks stdin for attacks and calls dropbad if so # intended to run in a pipe from a secure log tail # # D. R. Forrest 9/23/05 # Added a five user name log-in limit 10/11/05 # Added the next statements to eliminate double action 10/26/05 # Adjusted for Fedora 7 10/9/07 # Adjusted for Fedora 9 6/18/08 # Added multiple invalid user attempts 9/9/08 # Checked for Centos6 10/4/14 # # Code ssumes it reads /var/log/secure (see syslog(2)) # And Assumes output is piped to bash for execution # ignore our known-hosts from our networks /192\.168\./{ next; } /198\.58\.98\.128/{ next; } /2600\:3c00\:\:f03c\:91ff\:fe56\:7e17/{ next; } /107\.170\.92\.4/{ next; } /\:\:1/{ next; } # pick up prohibited users (those we will never use) Typical message follows: #^Oct 23 04:57:34 ns1 sshd[14299]: Failed password for root from 222.186.56.49 port 1618 ssh2 #^Oct 23 12:01:10 ns1 sshd[23388]: Failed password for invalid user testicle from 107.170.92.4 port 53294 ssh2 # If it is a valid user eg. root then the message elides "invalid user" so the indexes need to be decremented /Failed password for (root|adm).*ssh/ \ { system("/usr/local/sbin/dropbad " $11 " " $9) next } # Pick up possible break-in attempts #^Jan 5 11:42:53 maplepark sshd[19217]: Address 212.122.224.24 maps to mail.yallaonline.com, but this do\ #es not map back to the address - POSSIBLE BREAK-IN ATTEMPT!$ #/POSSIBLE BREAK-IN ATTEMPT/ { # biattempt_ip = $7 # if ($7 !~ /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) {next;} # if not IP then bail # print"/usr/local/sbin/dropbad",biattempt_ip,"Break_in_attempt"; system("") # if ( match($7,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) ) {print"/usr/local/sbin/dropbad",$7,"Break_in_attempt"; system("")} # if ( match($7,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/) ) { system "/usr/local/sbin/dropbad " $7 " " "Break_in_attempt"} # next # } # Pick up multiple invalid user attempts within 15 minutes (900 seconds) # This_ip is: this record's ip # miattempt_ip is: this record's ip if different from an earlier invalid user's # This_attempt is: time in seconds # Previous_ip is: last ip found in this section # Previous_attempt is: time in seconds of last attempt in this section # ^Nov 4 08:44:04 maplepark sshd[26852]: Failed password for invalid user guest from 72.73.100.19 port 50887 ssh2 /Failed password for invalid user/ { This_ip = $13 if ( This_ip == attempt_ip ){ # Pick up five bad user name log-in attempts from same ip if ( ++attempts >= 5 ) { print"/usr/local/sbin/dropbad",attempt_ip,"Five_failed_user_names"; system("") # system( "/usr/local/sbin/dropbad " attempt_ip " Five_failed_user_names") attempts = 0} next } else { # multiple ip invalid users attempts = 0 miattempt_ip = This_ip This_attempt = systime() if ( Previous_attempt ) { # there was a previous attempt since = This_attempt - Previous_attempt if ( since > 900 ) { # time has expired - reset Previous Previous_attempt = "" Previous_ip = "" next } else { print"/usr/local/sbin/dropbad",miattempt_ip,"Multiple_invalid_attempts"; system("") print"/usr/local/sbin/dropbad",Previous_ip,"Multiple_invalid_attempts"; system("") Previous_attempt = "" Previous_ip = "" next } } else { # Fisrt time seen attempt_ip = This_ip Previous_attempt = This_attempt attempts++ next } } } #/ not reverse map / { # if ( $11 != last_ip ) strikes = 0 # last_ip = $11 # $11 includes the trailing period # if ( ++strikes >= 3 ) { # ip_length = length($11) -1 # Strip trailing period # IP = substr($11,1,ip_length) # from $11 # print"/usr/local/sbin/dropbad",IP,"Strike-out"; system("") # sleep 3 # next } # }