Full Disclosure mailing list archives

RE: SSH Bruteforce blocking script

From: "Michael L Benjamin" <mike.benjamin () clarinet com au>
Date: Fri, 2 Sep 2005 16:30:30 +0800

 

Ok, well spotted. Something for me to fix there.

Here you go, add these lines to the script just after the touch:

chmod 700 ${TMP_FILE}

${TMP_FILE}


My apologies, that is a no-no and something I should have spotted.

I originally thought about doing this with arrays in memory. I might go back to that later.

Thanks for your input.

Cheers, Mike.



-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Alejandro Barrera
Sent: Friday, September 02, 2005 04:04 PM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] SSH Bruteforce blocking script

Well, we apreciate your script although I would preffer to stay with my nice bruteforcing attempts than to create an 
insecure temporary file bug:

ergosum@sparta:~$ cat test.sh
#!/bin/sh

SCRIPT_NAME=$(basename $0)
TMP_FILE="/tmp/${SCRIPT_NAME}.$$"

touch ${TMP_FILE}
echo "pwn3d" > ${TMP_FILE}
exit
ergosum@sparta:~$ cat data
pr0n g0ld collection: ....

ergosum@sparta:~$ ln -s /home/ergosum/data /tmp/test.sh.18359 ergosum@sparta:~$ ln -s /home/ergosum/data 
/tmp/test.sh.18361 ergosum@sparta:~$ ln -s /home/ergosum/data /tmp/test.sh.18362 ergosum@sparta:~$ ./test.sh 
ergosum@sparta:~$ cat data pwn3d

#!/bin/ksh
#
# ssh_brute_blocker
#
# 05/07/2004 15:05 - Michael L. Benjamin #

SCRIPT_NAME=$(basename $0)
LOG_FILE="/var/log/secure"
DENY_FILE="/etc/hosts.deny"
TMP_FILE="/tmp/${SCRIPT_NAME}.$$"
INBOUND_IP=""
INLINE=""
GUESS_COUNT=0
PERMIT_GUESS=4

touch ${TMP_FILE}

while :
do

tail -10000 ${LOG_FILE} | grep "Failed password for illegal user" | 
awk -F"from" {'print $2'} | awk {'print $1'} | uniq > ${TMP_FILE}


 
 
 


--
Alejandro Barrera García-Orea
R&D Engineer
c/ Alcala 268 28027 Madrid
Office: +34 91 326 66 11
Fax: +34 91 326 66 11
e-mail: abarrera () iron-gate net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- Re: SSH Bruteforce blocking script Alejandro Barrera (Sep 02)
- Re: SSH Bruteforce blocking script Christoph Moench-Tegeder (Sep 02)
- Re: SSH Bruteforce blocking script Gerald Holl (Sep 03)
- <Possible follow-ups>
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
  - Re: SSH Bruteforce blocking script Christoph Moench-Tegeder (Sep 02)
- Re: SSH Bruteforce blocking script Pedro Hugo (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 02)
  - Re: SSH Bruteforce blocking script miah (Sep 02)
- RE: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)
  - Re: SSH Bruteforce blocking script miah (Sep 06)
  - RE: SSH Bruteforce blocking script Ron DuFresne (Sep 06)
- FW: SSH Bruteforce blocking script Michael L Benjamin (Sep 04)

(Thread continues...)