Make it stop!

Made some improvements to the original script. Now, it notes in the syslog when it adds a user to the filter, and it checks if they've already been dealt with before adding them again.

#! /usr/bin/perlrn#rn# monitor_logins.plrn# Monitors /var/log/messages looking for attempted logins by "test",rn# "guest", or "admin". When found, it blocks their IP using iptables.rnrnuse Sys::Syslog; # all except setlogsock, or:rnuse Sys::Syslog qw(:DEFAULT setlogsock); # default set, plus setlogsockrnrn$block_these_logins = "test,guest,admin";rn$block_these_logins =~ s/,/|/g;rnrn# Flush stdout every time we write to it so the output is up-to-datern$| = 1;rnrnopenlog($program, 'cons,pid', 'daemon');rnsetlogsock('unix');rnrnopen(SYSLOG_MESSAGES, "<:unix", "/var/log/messages") or die;rnrn# Read to EOF -- we don't care about old log entries, just new ones.rnwhile(<SYSLOG_MESSAGES>) { $current_line = <SYSLOG_MESSAGES>; }rnrn# Main looprnwhile(<>) {rnrn while(<SYSLOG_MESSAGES>) {rnrn $current_line = <SYSLOG_MESSAGES>;rn if ($current_line ) {rnrn # Only grab messages from/regarding the SSH daemonrn if ($current_line =~ m/sshd/i) {rnrn # Look for "Illegal user so-and-so from..."rn if ($current_line =~ m/Illegalsusers($block_these_logins)/i) {rnrn # Parse the contents of the syslog entryrn @split_line = split(/s/,$current_line);rn for my $current_word (@split_line) {rnrn @colon_split_string = split(/:/,$current_word);rn for my $current_string (@colon_split_string) {rnrn # Look for an IP in dotted-decimal notationrn if($current_string =~ m/d+.d+.d+.d+/) {rnrn # Did we already block them at the firewall?rn $command_line = "iptables -L INPUT | grep $current_string > /dev/null";rn system($command_line);rnrn $return_val = $?;rnrn if ($return_val == 0) {rn syslog('info',"$current_string is already blocked. No further action taken.n");rn }rn else {rn # Block them at the firewallrn $command_line = "iptables -A INPUT -s $current_string -j DROP > /dev/null";rn system($command_line);rnrn # Let the admin know what we did.rn syslog('info',"$current_string blocked using iptablesn");rn }rn }rn }rn }rn }rn }rn }rn }rnrn # Reset the EOF status on the file handle.rn sleep 1;rn seek(SYSLOG_MESSAGES, 0, 1);rnrn}rn

Late last week, I noticed some weird activity in my Linux server's syslog. The only port forwarded from my firewall is the one used for SSH. I use SSH to get into my computer from the Internet so I can check my email and so forth.

SSH is configured not to allow root to log in remotely, and there's only one real account on the box. So, I'm not too worried about people breaking in. But I got a chuckle when I saw people running a script againt my box that tried to log in a "guest", "test", and "admin".

So, as a challenge to myself, I threw together a script that reacts to these break-in attempts. It's written in Perl, and it monitors /var/log/messages looking for someone trying to log in as one of those users through SSH. When it detects someone trying to get in that way, it adds an entry to Linux's "iptables" (a software firewall, basically) instructing the TCP/IP stack to completely ignore any further packets from their IP address.

Here's the script, in case anyone's interested:rn

#! /usr/bin/perlrn#rn# monitor_logins.plrn# Monitors /var/log/messages looking for attempted logins by "test",rn# "guest", or "admin".  When found, it blocks their IP using iptables.rn rn$block_these_logins = "test,guest,admin";rn$block_these_logins =~ s/,/|/g;rn rnopen(SYSLOG_MESSAGES, "/var/log/messages");rn rn# Flush stdout every time we write to it so the output is up-to-daternselect(STDOUT);rn$|=1;rn rn# Read to EOF -- we don't care about old log entries, just new ones.rnwhile(<SYSLOG_MESSAGES>) { $current_line = <SYSLOG_MESSAGES>; }rn rn# Main looprnwhile(<>) {rn rn  while(<SYSLOG_MESSAGES>) {rn rn    $current_line = <SYSLOG_MESSAGES>;rn    if ($current_line ) {rnrn      # Only grab messages from/regarding the SSH daemonrn      if ($current_line =~ m/sshd/i) {rn rn        # Look for "Illegal user so-and-so from..."rn        if ($current_line =~ m/Illegalsusers($block_these_logins)sfrom/i) {rn rn          # Parse the contents of the syslog entryrn          @split_line = split(/s/,$current_line);rn          for my $current_word (@split_line) {rn rn            @colon_split_string = split(/:/,$current_word);rn            for my $current_string (@colon_split_string) {rn rn              # Look for an IP in dotted-decimal notationrn              if($current_string =~ m/d+.d+.d+.d+/) {rn rn                # Block them at the firewallrn                $command_line = "iptables -A INPUT -s $current_string -j DROP";rn                system($command_line);rn rn                # Let the user know what we did.  This should write torn                # syslog some day.rn                print("$command_linen");rn              }rn            }rn          }rn        }rn      }rn    }rn  }rn rn  # Reset the EOF status on the file handle.rn  sleep 3;rn  seek(SYSLOG_MESSAGES, 0, 1); rn}rnrn