Skip to content
This repository was archived by the owner on Mar 19, 2022. It is now read-only.

day_20.md

Latest commit

 

History

History
77 lines (54 loc) · 3.16 KB

day_20.md

File metadata and controls

77 lines (54 loc) · 3.16 KB

Day 20

Notes

  • One script can be used to do several things depending on what parameters you provide.

  • Pop your script in /etc/cron.daily and it will run each day, or install a symlink to it in the appropriate /etc/rc.d dir and you can have it run each time the system is shut down or booted up.

  • You can use whois to find details on IPs - just be aware that the system that is "attacking" you may be an innocent party that's been hacked into.

  • Remember to include -a option in grep, as it sometimes consider /var/log/auth.log as a binary file.

  • Failed password attempts for valid users

grep -i "failed" /var/log/auth.log -a | grep -vi "invalid" | grep -vi "repeated" | awk '{printf "%-10s %12s\n", $9, $11}'
  • Invalid users attempts
grep -a "Invalid" /var/log/auth.log | awk '{printf "%-10s %12s\n", $8, $10}'
  • The complete script (this is different from that of u/snori74 from the course 😅)
#!/bin/bash

usage() {
if [[ -z "$1" ]]; then
	echo "Usage: `basename $0` [wrongpass | invalid]"
	echo "OPTIONS - "
	echo "	wrongpass - Failed attempts by valid users due to wrong passwd"
	echo "	invalid - Invalid users attempting to ssh"
exit 0
fi
}

if [[ "$1" == "wrongpass" ]]; then
	echo "Failed password attempts for valid users"
	awk 'BEGIN {printf "%-10s %12s\n", "User", "IP"
	    printf "%-10s %12s\n", "----", "----"}'
	grep -i "failed" /var/log/auth.log -a | grep -vi "invalid" | grep -vi "repeated" | awk '{printf "%-10s %12s\n", $9, $11}'

elif [[ "$1" == "invalid" ]]; then
	echo "Invalid users"
	awk 'BEGIN {printf "%-10s %12s\n", "user", "IP"
		printf "%-10s %12s\n", "----", "----"}'
	grep -a "Invalid" /var/log/auth.log | awk '{printf "%-10s %12s\n", $8, $10}'	
else
	usage
fi

Questions and Answers and Inspiration

reddit link

I don't think "disconnected from" gives the desired result, (at least not in my case).

A "good" (accepted password) session only has "Disconnected from" line in my logs when the session is closed. an extract of "good" log here

"Failed password" log, "Invalid user" log shows me "bad" logins.

Failed but accepted on third attempt - log

Great script. It's well worthwhile spending some time checking exactly whats in the logs - and interesting to differentiate between "failed root", versus "failed non-existant user" etc. as you've done.

If you look at the Apache logs you'll see a whole range of attempted attacks against all sorts of vulnerabilities they're hoping to find.

Readings