SSH Attack Foghorn

July 16, 2009

by admin @ 6:20 am. Filed under General Linux, Linux tips, Work-Related, bash, ssh tips, sweet tools

I don’t like it when people try and hack my web servers. To make myself aware of people trying to access my ssh daemon, I wrote me a little script. Yup, I’m certainly aware of DenyHosts. Notwithstanding, in the hopes that this script may find use elsewhere, I post it here. Behold, enjoy, and chuckle a bit at how much better you could write it. Then, let me know how you’d improve it:

#!/bin/sh
LOGFILE=/root/hack_attempts
IFS=$'n'
PATTERN="^"`date --date="1 minute ago" "+%b %e %H:%M:"`""
tail -n 1000 /var/log/messages | grep ""$PATTERN"" | grep sshd | grep -i "invalid user" | grep " from " > "$LOGFILE"
if [ $(stat -c%s "$LOGFILE") -gt 0 ] ; then
	echo "See the attached log for details" | mailx -a "$LOGFILE" -s "Possible hack attempt" YOUREMAIL@YOURDOMAIN.COM
fi
rm "$LOGFILE"

Copy it to your /root folder. Name it something cool like ‘ssh_foghorn’, and chmod +x it to make it executable. Put it in your /etc/crontab file to run once every minute. Make sure you set the system log to whatever your distro uses. And change the email address to your own. Doesn’t cure cancer, but for 8 lines of code, it does what it needs to.

Again, I’m sure there are better ways to do this, so let’s hear ‘em!

If you enjoyed this post, make sure you subscribe to my RSS feed!

[Comments (2)] [link]

2 Responses to “SSH Attack Foghorn”

sebsauvage Says:
July 17th, 2009 at 1:08 am
Nice… but why not use fail2ban ?
This daemon monitors logs in realtime, and reconfigures the firewall (iptables) to block intruders. It has predefined rules for ssh, apache, vsftpd, proftpd, postfix… and it’s easy to create your own rules.

It can also be configured to launch other commands than iptables.
Scott Morris Says:
July 21st, 2009 at 8:23 am
Excellent suggestion. I will absolutely check into it. Thanks a bunch for your suggestion, and for stopping by!