Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../.././.././../../../sbin/check-sshd
Real path: /usr/sbin/check-sshd
Zurück

#!/bin/bash # # check-sshd # if [ "x$DEBUG" = "x" ]; then DEBUG=0 fi if [ "x$PRINT" = "x" ]; then PRINT=0 fi # (maximal number of allowed wrong logins at one time)+1 (1,2,3,...) # one mistake allowed MAX_TRIES=3 MAX_TRIES_PER_NET=5 MAX_SYN_PER_IP=25 MAX_SYN_PER_NET=35 SSH_VAR_DIR=/var/lib/itss/ssh/ FWLISTDIR=/var/lib/itss/firewall/ BLACKLIST=$FWLISTDIR/blacklist if [ ! -e $FWLISTDIR ]; then mkdir -p $FWLISTDIR fi if [ -f /etc/itss/os_tools.source ]; then . /etc/itss/os_tools.source else if [ -f ./os_tools.source ]; then . ./os_tools.source fi fi if [ $DEBUG -eq 1 ]; then GET_LAST_B="cat ./last_a_100" GET_SSH_LOG="cat ./sshd.log*" GET_ALREADY_BLOCKED_IPS="cat ./ippool_33" WHITELIST_FILE="./whitelist" BLACKLIST_FILE="./blacklist" else GET_LAST_B="/usr/bin/last -a | /usr/bin/head -1000" # GET_ALREADY_BLOCKED_IPS="ippool -l -m 33" GET_ALREADY_BLOCKED_IPS="/usr/sbin/pfctl -t pool_33 -T show" if [ ! -e $SSH_VAR_DIR ]; then mkdir -p $SSH_VAR_DIR fi WHITELIST_FILE="$SSH_VAR_DIR/whitelist" BLACKLIST_FILE="$SSH_VAR_DIR/blacklist" if [ ! -f $WHITELIST_FILE ]; then touch $WHITELIST_FILE fi if [ ! -f $BLACKLIST_FILE ]; then touch $BLACKLIST_FILE fi FILE=/var/log/sshd.log if [ ! -r $FILE ] ; then exit fi if [ ! -f /tmp/check-sshd.ipaddr ] ; then FILE="/var/log/sshd.log*" fi GET_SSH_LOG="$CAT $FILE" fi #Gen white list if [ -f $WHITELIST_FILE ]; then WHITELIST_IPS=`$CAT $WHITELIST_FILE | $EGREP -v "#" | $AWK '{print "WL "$1}'` fi if [ -f $BLACKLIST_FILE ]; then BLACKLIST_IPS=`$CAT $BLACKLIST_FILE | $EGREP -v "#" | $AWK '{print "BL "$1}'` fi #ALREADY_BLOCKED_IPS=`$GET_ALREADY_BLOCKED_IPS | $TR '\n' ' ' | $SED -e "s#^.*{##g" -e "s#};##g" -e "s# ##g" | $TR ';' '\n' | $SED -e "s#/32##" -e "s#[0-9]*/24#0#" | $AWK '{ print "AB "$1 }'` ALREADY_BLOCKED_IPS=`$GET_ALREADY_BLOCKED_IPS | $SED -e "s#^.*{##g" -e "s#};##g" -e "s# ##g" | $TR ';' '\n' | $SED -e "s#/32##" -e "s#[0-9]*/24#0#" | $AWK '{ print "AB "$1 }'` SUCC_LOGINS_HOSTNAMES=`$GET_LAST_B | $EGREP -v "reboot | :" | $AWK '{print $NF}' | uniq` SUCC_LOGINS_IPS=`for h in $WHILELIST_HOSTNAMES; do nslookup $h; done | $EGREP "Address:" | $EGREP -v "#" | $AWK '{print "WL "$2}' | $SORT -u` WHITELIST_IPS=`echo $WHITELIST_IPS; echo $SUCC_LOGINS_IPS` if [ $PRINT -eq 1 ]; then echo "$WHITELIST_IPS" echo "$BLACKLIST_IPS" echo "$ALREADY_BLOCKED_IPS" fi # -e "s#^.*Received disconnect from #RD #g" \ NEW_BLOCKED_IPS=`\ (echo "$ALREADY_BLOCKED_IPS";echo "$BLACKLIST_IPS"; echo "$WHITELIST_IPS"; ${GET_SSH_LOG} | $EGREP "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | $EGREP -v "Failed publickey for|Accepted keyboard-interactive for|Accepted publickey for" | \ $SED -e "s#^.*Bad protocol version identification 'GET / HTTP/1.1' from #BP #g" \ -e "s#^.*Illegal user .* from #IU #g" \ -e "s#^.*Did not receive identification string from #MS #g" \ -e "s#^.*Failed password for .* from #FP #g" \ -e "s#^.*Failed none for .* from #FN #g" \ -e "s#^.*monitor fatal: Timeout before authentication for #MF #g" \ -e "s#^.*Connection closed by #CC #g" \ -e "s#:.*##g" -e "s# port.*##g" \ -e "s# authenticating user .* # #g" \ -e "s# invalid user .* # #g" ) | \ $SED -e "s#\.# #g" | \ $AWK -v MAX_TRIES=$MAX_TRIES -v MAX_TRIES_PER_NET=$MAX_TRIES_PER_NET \ 'BEGIN { \ white_list_ip["141.20"]=1; \ white_list_ip["127.0"]=1; \ } \ /AB |BP |RD |IU |MS |FP |FN |MF |CC / { \ ip1=$2; ip2=$3; ip3=$4; ip4=$5; \ ip=ip1 "." ip2 "." ip3 "." ip4; \ ip_net=ip1 "." ip2 "." ip3; \ ip_net_16=ip1 "." ip2; \ if ( ( white_list_ip[ip_net_16] != 1 ) && ( white_list_ip[ip] != 1 ) ) { bad_access[ip]+=1; \ ip2net[ip]=ip_net; \ if ( bad_access[ip] >= MAX_TRIES ) { \ bad_net_count[ip_net]+=1; \ if (white_list_ip[ip_net] != 1 ) { \ bad_net[ip_net]+=1; \ } } \ if ( $1 == "AB" ) { \ already_blocked_ip[ip]=1; } \ } } \ /WL / { \ ip1=$2; ip2=$3; ip3=$4; ip4=$5; \ ip=ip1 "." ip2 "." ip3 "." ip4; \ ip_net=ip1 "." ip2 "." ip3; \ white_list_ip[ip]=1; \ white_list_ip[ip_net]=1; \ } \ /BL / { \ ip1=$2; ip2=$3; ip3=$4; ip4=$5; \ ip_net=ip1 "." ip2 "." ip3; \ if ( $5 == 0 ) { \ bad_net[ip_net]=100; \ } else { \ ip=ip1 "." ip2 "." ip3 "." ip4; \ ip2net[ip]=ip_net; \ bad_access[ip]=100; \ } \ } \ END { for (x in bad_net){ if ( ( bad_net[x] > MAX_TRIES_PER_NET ) && ( already_blocked_ip[x ".0"] != 1 ) ) { print x".0/24"}}; \ for (x in bad_access){ if ( ( bad_access[x] > MAX_TRIES ) && ( bad_net[ip2net[x]] <= MAX_TRIES_PER_NET ) && ( already_blocked_ip[x] != 1 )) { print x"/32"}}}'` if [ "x$NEW_BLOCKED_IPS" != "x" ]; then echo "$NEW_BLOCKED_IPS" MY_HOSTNAME=`hostname` T=`gdate +%s` for IP in $NEW_BLOCKED_IPS; do #ippool -l -m 33 | /usr/bin/grep $IP 1>/dev/null 2>&1 #if [ $? -eq 0 ] ; then # continue #fi echo echo "on: $MY_HOSTNAME" echo " /sbin/check-sshd" echo " `date`" echo " $IP sperren (mindestens $MAX_TRIES/$MAX_TRIES_PER_NET Versuche)" #block-ip $IP #ippool -a -m 33 -i $IP pfctl -t pool_33 -T add $IP echo "$T $IP" >> $BLACKLIST echo "`date` $IP hinzugefuegt" PRINT=1 done fi BLOCKED_NET_SYNFLOOD=`netstat -na | grep SYN_RCVD | tr '\.' ' ' | awk '{ print $6"."$7"."$8".0/24" }' | sort | uniq -c | $AWK -v L=$MAX_SYN_PER_NET '{ if ( $1 > L ) { print $2 } }' | /usr/bin/egrep -v "^141\.20\.|^127\.0\.0|^0\.0\.0\.0"` BLOCKED_IP_SYNFLOOD=`netstat -na | grep SYN_RCVD | tr '\.' ' ' | awk '{ print $6"."$7"."$8"."$9 }' | sort | uniq -c | $AWK -v L=$MAX_SYN_PER_IP '{ if ( $1 > L ) { print $2 } }' | /usr/bin/egrep -v "^141\.20\.|^127\.0\.0|^0\.0\.0\.0"` for IP in $BLOCKED_NET_SYNFLOOD $BLOCKED_IP_SYNFLOOD; do #ippool -l -m 33 | /usr/bin/grep $IP 1>/dev/null 2>&1 #if [ $? -eq 0 ] ; then # continue #fi echo echo "on: $MY_HOSTNAME" echo " /usr/sbin/check-sshd" echo " `date`" echo " $IP sperren (mindestens $MAX_TRIES/$MAX_TRIES_PER_NET Versuche)" #block-ip $IP #ippool -a -m 33 -i $IP pfctl -t pool_33 -T add $IP echo "$T $IP" >> $BLACKLIST echo "`date` $IP hinzugefuegt" PRINT=1 done if [ $PRINT -eq 1 ] ; then echo /usr/sbin/pfctl -t pool_33 -T show # ippool -l -m 33 fi exit 0