On Thu, 12 Mar 2020, Christoph Anton Mitterer wrote:
> IMO, the idea itself sounds not the best... one must assume that such
> invoked programs are not written "safe"... and thus an attacker could
> potentially cause the system to run such programs a huge number of
> times.
As for the original problem… I have this running under daemontools:
#!/bin/mksh
exec >/dev/null
exec 2>/dev/null
tail -f /var/log/messages | while IFS= read -r line; do
[[ $line = *sshd*@(Failed password for ?(invalid user )@(root|sync|admin|oracle|pi|setup|test|testuser|ubnt) from)* ]] || continue
line=${line#*for ?(invalid user )@(root|sync|admin|oracle|pi|setup|test|testuser|ubnt) from }
line=${line%% *}
[[ $line = +([0-9]).+([0-9]).+([0-9]).+([0-9]) ]] || continue
x=$(pfctl -t theo -T add "$line" 2>&1)
logger -t sshnuke "Blocking '$line': $x"
done
The pf table named “theo” is a “block everything” table.
The list of account names which trigger blocking gets
updated every once in a while. This currently only works
on Legacy IP but updating it to also support IP should be
trivial. It blocks after the first attempt, which is why
I only catch known-bad account names, not typos. Getting
back in if you accidentally blocked yourself is outside
of the scope of this. You’ll need tail -F for GNU systems.
bye,
//mirabilos
--
„Cool, /usr/share/doc/mksh/examples/uhr.gz ist ja ein Grund,
mksh auf jedem System zu installieren.“
-- XTaran auf der OpenRheinRuhr, ganz begeistert
(EN: “[…]uhr.gz is a reason to install mksh on every system.”)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
