ssh attacks script
i've noticed on a couple of boards, and on this mailing list all of the
attempts of the script kiddies trying to hack into people's boxes through
ssh.
i got tired of writing emails to the isps of the blocks that these people
where trying to get into me from. so i wrote a script to do it for me.
now i know that people are hardening their firewall rules from the
attempts, yet wouldn't it be nice to be able to track down at least one of
this little shites? so if you want you can grab the script from
http://cerberus.cc/open/scripts/sshd_check.sh or just copy and paste from
here. i got a little busy with the comments on it, you'll have to excuse
me for that.
cheers.
#!/bin/bash
#
# I wrote this because I was getting tired of all the attempts from the script kiddies out there. Hopefully if
# enough people can use this program, and do use it, we can get the ISPs to take a look at, and maybe catch
# some of the little shites that are running the scripts.
#
# A couple of things that you're going to need to make this program work properly is to have your dnsdomainname
# set, a MTA that is working, and hopefully not relaying others mail :-), and your machine clock syncing to an
# ntp server. The last one isn't neccesary, but I believe it's important.
#
# I made a system user admin, and have it ran as a cron job from the admin user when my files rotate. This way it's
# not going to flood the ISPs mail, and yours, with continued sends of the same thing. Also this script was
# written for my server(debian), so you might have to modify it to fit yours. The modification should only be which
# log file it's searching. If people email me with where the 'Illegal' attempts are located on what distro I will
# modify the script.
#
# You can see what this is doing by running "bash -o xtrace sshd_check sshd_check" (without the quotes) from the
# dir that you put it in.
#
# If you are going to run this from a cron job as I have, make sure that you specify, "SHELL=/bin/bash" after the
# name of the file so it runs properly.
#
HOSTNAME=`dnsdomainname` # just a couple of vars that i've set up right away.
TIMEZONE=`cat /etc/timezone`
CURRENT=`date`
UTC=`date -u`
#
mkdir abuse # we are going to do everything in a dir that we make
cd abuse # that way we can keep things nice and clean.
grep Illegal /var/log/auth.log.0 > bad_sshd # finding the offenders.
cut -f7 -d\: bad_sshd | sort -u -o ip_sshd # this is dropping down the ips to one occurance each.
#
while VAR1=`head -n1 ip_sshd`; do # this grabs the first ip in the list.
if test ! "$VAR1" ; then # checking to make sure the loop will stop when there
break # are no more ips in the list.
else
VAR2=`grep "$VAR1" /var/log/auth.log.0` # builds the list to send to the isp.
VAR3=`whois -h completewhois.com ABUSEDATA "$VAR1" | grep -i Abuse\ E-mail | cut -f8 -d\ `
# grabs the abuse@email.isp so we know who to send it to.
mail -s ssh\ attack "$VAR3" <<EOF
Thank you for taking the time and concern to address this email.
This email was sent to you from a cron job to notify the admin and you,
the isp, of attempted break ins from an ssh script coming from someone
in your block of ip addresses.
My timezone is ${TIMEZONE}.
My current time is ${CURRENT}.
Current UTC time is ${UTC}.
Thank you.
admin@$HOSTNAME
${VAR2}
EOF
sed -i '1d' ip_sshd
# gets rid of the first ip that we searched so the loop
# goes to the next one.
fi
done
cd ../
rm -rf abuse/ # cleans everything up that we made.
exit 0 # :-) all done.
#
#
# Copyright (C) 2005 Chad Brabec <chad\@cerberus.cc>,
#
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# General Public License, http://www.gnu.org/copyleft/gpl.html, for more details.
#
# If you find this script useful and would like to modify it to make it better
# please email me with the changes.
Reply to: