SSH Attack Foghorn

view full story

http://feedproxy.google.com – I don’t like it when people try and hack my web servers. To make myself aware of people trying to access my ssh daemon, I wrote me a little script. Yup, I’m certainly aware of DenyHosts. Notwithstanding, in the hopes that this script may find use elsewhere, I post it here. Behold, enjoy, and chuckle a bit at how much better you could write it. Then, let me know how you’d improve it: #!/bin/sh LOGFILE=/root/hack_attempts IFS=$'\n' PATTERN="^"`date --date="1 minute ago" "+%b %e %H:%M:"`"" tail -n 1000 /var/log/messages | grep ""$PATTERN"" | grep sshd | grep -i "invalid user" | grep " from " > "$LOGFILE" if [ $(stat -c%s "$LOGFILE") -gt 0 ] ; then echo "See the attached log for details" | mailx -a "$LOGFILE" -s "Possible hack attempt" [email protected] fi rm "$LOGFILE" Copy it to your /root folder. Name it something cool like ’ssh_foghorn’, and chmod +x it to make it executable. Put it in your /etc/crontab file to run once every minute. Make sure you set the system log to whatever your distro uses. And change the email address to your own. Doesn’t cure cancer, but for 8 lines of code, it does what it needs to. Again, I’m sure there are better ways to do this, so let’s hear ‘em! (Distributions)