#!/usr/bin/perl # check log files for crackers - drop their packets when found # kurt theis 10/2006 # oct 13 2006 # added second check for root users # added check for 'from' and 'port' in addresses # get a list of IP addresses # check /var/log/proftpd.log for bad users $command = "grep \"no such user\" /var/log/proftpd.log | cut -d \" \" -f16"; open(README, "$command |") || die "FTP: can't run command $command\n"; while () { chop; push(@templist,$_); } close(README); # check /var/log/messages for bad passwords $command = "grep \"Failed password for\" /var/log/messages | cut -d \" \" -f11"; open(README, "$command |") || die "MESSAGES: can't run command $command\n"; while () { chop; push(@templist,$_); } close(README); # check /var/log/messages for bad passwords for non-root etc $command = "grep \"Failed password for \" /var/log/messages | cut -d \" \" -f12"; open(README,"$command |") || die "MESSAGES: can't run command $command\n"; while () { chop; push(@templist,$_); } close(README); # and again for bad users $command = "grep \"Illegal user\" /var/log/messages | cut -d \" \" -f11"; open(README, "$command |") || die "MESSAGES: can't run command $command\n"; while () { chop; push(@templist,$_); } close(README); # clean up the list - remove valid IP's and remove bad characters foreach $item (@templist) { $item =~ s/\[//; $item =~ s/\]//; if ($item eq "164.75.56.188") { # this is always a good IP address next; } } # since we scan logs all the time, we will get duplicate hits # to avoid this, we need to scan the badIP list to see if we already # saw the address open(BADIP,"/var/log/badIP") || die "IPSCAN: can't open badIP file\n"; foreach $ipaddress (@templist) { $FLAG = 0; while () { chop; if ($_ eq $ipaddress) { $FLAG = 1; } } if ($FLAG == 0) { push(@badip,$ipaddress); } seek(BADIP,0,0); # reset check file to beginning } close(BADIP); # list of bad ip addresses is now in @badip # but if we have multiple instances of the same IP # we get a long list of dups. # remove the dups. %seen = (); foreach $item (@badip) { push(@iplist, $item) unless $seen{$item}++; } # now @iplist has valid list # now block these bad boys open(LOCAL,">>/etc/rc.d/rc.local") || die "Cannot open rc.local\n"; open(FILEID,">>/var/log/badIP") || die "Cannot open badIP\n"; foreach $addr (@iplist) { if ($addr eq "") { next; # discard nulls } if ($addr eq "port") { # ignore errors next; } if ($address eq "from") { # ignore errors next; } if ($addr eq "64.175.56.188") { next; # don't include my home address } $command = "iptables -A INPUT -s $addr -j DROP"; print LOCAL "$command\n"; print FILEID "$addr\n"; system("$command"); # notify me when this happens $msg = "LogSniff shutdown IP $addr"; # non a real phone number - put your own here! $cmd = "echo $msg | mailto -s LoginSniff 9997654321\@vetext.com"; system("$cmd"); } close(FILEID); close(LOCAL);