heathbjohnson
02-17-2007, 01:35 PM
Hello,
I am getting a lot of ssh connections attempts and I am trying to configure BFD to automatically block them. My file: /usr/local/bfd/rules/sshd looks like:
LP="/var/log/messages"
TLOG_TF="sshd"
TRIG="3"
TMP="/usr/local/bfd/tmp"
## SSH
ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | awk '{print$11":"$9}' > $TMP/.sshd`
ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -w "for illegal" | awk '{print$13":"$11}' >> $TMP/.sshd`
ARG_VAL3=`$TLOGP $LP $TLOG_TF.3 | grep sshd | grep -w "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | tr '[]=' ' ' | awk '{print$19":"$21}' >> $TMP/.sshd`
ARG_VAL=`cat $TMP/.sshd`
## SSH
#ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -iwf $PATTERN_FILE | grep -ivw "Invalid" | grep -ivw "Illegal" | awk '{print$13":"$11}' > $TMP/.sshd`
#ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -iwf $PATTERN_FILE | grep -ivw "Invalid" | grep -ivw "Illegal" | awk '{print$11":"$9}' >> $TMP/.sshd`
#ARG_VAL3=`$TLOGP $LP $TLOG_TF.3 | grep sshd | grep -iwf $PATTERN_FILE | grep -iw "Illegal" | awk '{print$10":"$8}' >> $TMP/.sshd`
#ARG_VAL4=`$TLOGP $LP $TLOG_TF.4 | grep sshd | grep -iwf $PATTERN_FILE | grep -iw "Invalid" | awk '{print$10":"$8}' >> $TMP/.sshd`
#ARG_VAL=`cat $TMP/.sshd`
so it is searching in /var/log/messages for sshd connection error messages to grab the IP addres to ban. It seems to be working for that. However, a lot of the sshd connection error messages show up only in /var/log/secure. For example:
Feb 12 13:31:54 host sshd[16121]: Failed password for mail from 222.45.233.72 port 55397 ssh2
Feb 12 13:32:03 host sshd[16324]: Failed password for mail from 222.45.233.72 port 55506 ssh2
Feb 12 13:32:10 host sshd[17690]: Failed password for mail from 222.45.233.72 port 55677 ssh2
Feb 12 13:32:14 host sshd[17822]: Illegal user client from 222.45.233.72
Feb 12 13:32:16 host sshd[17822]: Failed password for illegal user client from 222.45.233.72 port 55783 ssh2
Feb 12 13:32:20 host sshd[17933]: Illegal user client from 222.45.233.72
Feb 12 13:32:22 host sshd[17933]: Failed password for illegal user client from 222.45.233.72 port 55890 ssh2
Feb 12 13:32:26 host sshd[18030]: Illegal user client from 222.45.233.72
Feb 12 13:32:29 host sshd[18030]: Failed password for illegal user client from 222.45.233.72 port 55994 ssh2Since these are only showing up in /var/log/secure, BFD is not catching these attempts. Can somebody help me set up a new rules to also parse /var/log/secure?
Thanks
I am getting a lot of ssh connections attempts and I am trying to configure BFD to automatically block them. My file: /usr/local/bfd/rules/sshd looks like:
LP="/var/log/messages"
TLOG_TF="sshd"
TRIG="3"
TMP="/usr/local/bfd/tmp"
## SSH
ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | awk '{print$11":"$9}' > $TMP/.sshd`
ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -vw "ruser=" | grep -iwf $PATTERN_FILE | grep -w "for illegal" | awk '{print$13":"$11}' >> $TMP/.sshd`
ARG_VAL3=`$TLOGP $LP $TLOG_TF.3 | grep sshd | grep -w "ruser=" | grep -iwf $PATTERN_FILE | grep -vw "for illegal" | tr '[]=' ' ' | awk '{print$19":"$21}' >> $TMP/.sshd`
ARG_VAL=`cat $TMP/.sshd`
## SSH
#ARG_VAL1=`$TLOGP $LP $TLOG_TF.1 | grep sshd | grep -iwf $PATTERN_FILE | grep -ivw "Invalid" | grep -ivw "Illegal" | awk '{print$13":"$11}' > $TMP/.sshd`
#ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -iwf $PATTERN_FILE | grep -ivw "Invalid" | grep -ivw "Illegal" | awk '{print$11":"$9}' >> $TMP/.sshd`
#ARG_VAL3=`$TLOGP $LP $TLOG_TF.3 | grep sshd | grep -iwf $PATTERN_FILE | grep -iw "Illegal" | awk '{print$10":"$8}' >> $TMP/.sshd`
#ARG_VAL4=`$TLOGP $LP $TLOG_TF.4 | grep sshd | grep -iwf $PATTERN_FILE | grep -iw "Invalid" | awk '{print$10":"$8}' >> $TMP/.sshd`
#ARG_VAL=`cat $TMP/.sshd`
so it is searching in /var/log/messages for sshd connection error messages to grab the IP addres to ban. It seems to be working for that. However, a lot of the sshd connection error messages show up only in /var/log/secure. For example:
Feb 12 13:31:54 host sshd[16121]: Failed password for mail from 222.45.233.72 port 55397 ssh2
Feb 12 13:32:03 host sshd[16324]: Failed password for mail from 222.45.233.72 port 55506 ssh2
Feb 12 13:32:10 host sshd[17690]: Failed password for mail from 222.45.233.72 port 55677 ssh2
Feb 12 13:32:14 host sshd[17822]: Illegal user client from 222.45.233.72
Feb 12 13:32:16 host sshd[17822]: Failed password for illegal user client from 222.45.233.72 port 55783 ssh2
Feb 12 13:32:20 host sshd[17933]: Illegal user client from 222.45.233.72
Feb 12 13:32:22 host sshd[17933]: Failed password for illegal user client from 222.45.233.72 port 55890 ssh2
Feb 12 13:32:26 host sshd[18030]: Illegal user client from 222.45.233.72
Feb 12 13:32:29 host sshd[18030]: Failed password for illegal user client from 222.45.233.72 port 55994 ssh2Since these are only showing up in /var/log/secure, BFD is not catching these attempts. Can somebody help me set up a new rules to also parse /var/log/secure?
Thanks