[H-GEN] Re: Blocking SSH exploits

Jay johannes at paradise.net.nz
Wed Aug 25 07:40:16 EDT 2004


On Wed, 25 Aug 2004 15:50, Troy Piggins wrote:
> [ Humbug *General* list - semi-serious discussions about Humbug and     ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
> > From: Jay <johannes at paradise.net.nz>
> > Subject: Re: [H-GEN] Blocking SSH exploits
> >
> > Same here since July 26 using names (root, user, test, admin, guest) and
> > originating from:
> >
> > 61.109.156.5
> > 61.151.243.61
> > 61.166.6.60
> > 63.243.17.136
> > 65.120.161.253
> > 68.122.247.235
> > 148.228.20.67
> > 160.80.34.9
> > 163.23.103.193
> > 163.26.85.193
> > 195.228.156.19
> > 202.102.242.180
> > 202.207.16.97
> > 203.146.102.54
> > 203.234.222.231
> > 203.248.244.160
> > 210.223.178.180
> > 210.95.186.129
> > 211.214.133.140
> > 218.216.74.170
> > 221.166.173.22
> >
> > Most attempts come in blocks of up to nine per ip within about 30
> > seconds, which suggests some form of automation is being used.
> >
> > Cheers
> >
> > Johannes
>
> How do you get this in this format?  Do you have scripts that filter
> out the IPs, or did you just edit manually for this email?

cd /var/log, or wherever your log files live and run the short bash script

# <-- cut below -->
#!/bin/sh

grep -w Failed secure|sort -r > failed
zcat secure.01.gz|grep -w Failed|sort -r >> failed
zcat secure.02.gz|grep -w Failed|sort -r >> failed
zcat secure.03.gz|grep -w Failed|sort -r >> failed
zcat secure.04.gz|grep -w Failed|sort -r >> failed

awk '
BEGIN {
        s0="";
}
{
        p1 = match($0,"from")+5;
        split(substr($0, p1), addr, " ");
        if (s0 != addr[1])
                print(addr[1]);
        s0 = addr[1];
}
' failed|sort -n
rm failed
# <-- cut above -->

Above procedure is pretty basic, but I am sure there are more 
elegant/efficient ways to do this job.

I am sure Greg would come up with a sophisticated one liner.

Cheers

Johannes




More information about the General mailing list