OpenSUSE Linux Rants

OpenSUSE Linux Tips, tricks, how-tos, opinions, and news

My Resume  -  My LinkedIn Profile

July 16, 2009

SSH Attack Foghorn

by @ 6:20 am. Filed under bash, General Linux, Linux tips, ssh tips, sweet tools, Work-Related

I don’t like it when people try and hack my web servers. To make myself aware of people trying to access my ssh daemon, I wrote me a little script. Yup, I’m certainly aware of DenyHosts. Notwithstanding, in the hopes that this script may find use elsewhere, I post it here. Behold, enjoy, and chuckle a bit at how much better you could write it. Then, let me know how you’d improve it:

#!/bin/sh
LOGFILE=/root/hack_attempts
IFS=$'\n'
PATTERN="^"`date --date="1 minute ago" "+%b %e %H:%M:"`""
tail -n 1000 /var/log/messages | grep ""$PATTERN"" | grep sshd | grep -i "invalid user" | grep " from " > "$LOGFILE"
if [ $(stat -c%s "$LOGFILE") -gt 0 ] ; then
	echo "See the attached log for details" | mailx -a "$LOGFILE" -s "Possible hack attempt" YOUREMAIL@YOURDOMAIN.COM
fi
rm "$LOGFILE"

Copy it to your /root folder. Name it something cool like ‘ssh_foghorn’, and chmod +x it to make it executable. Put it in your /etc/crontab file to run once every minute. Make sure you set the system log to whatever your distro uses. And change the email address to your own. Doesn’t cure cancer, but for 8 lines of code, it does what it needs to.

Again, I’m sure there are better ways to do this, so let’s hear ’em!

2 Responses to “SSH Attack Foghorn”

  1. sebsauvage Says:

    Nice… but why not use fail2ban ?
    This daemon monitors logs in realtime, and reconfigures the firewall (iptables) to block intruders. It has predefined rules for ssh, apache, vsftpd, proftpd, postfix… and it’s easy to create your own rules.

    It can also be configured to launch other commands than iptables.

  2. Scott Morris Says:

    Excellent suggestion. I will absolutely check into it. Thanks a bunch for your suggestion, and for stopping by!

OpenSUSE Linux Rants
Official OpenSUSE Linux Site

internal links:

categories:

SUSE Resources

search blog:

archives:

July 2018
S M T W T F S
« Feb    
1234567
891011121314
15161718192021
22232425262728
293031  

62 queries. 0.685 seconds