2006/01.07 @23:49 (articles, blog, site, software)

revised ssh/ipf blocking on netbsd

Update 08jan06 @ 08:05: After sending this link to Hubert he came back with a change to get the sed lines inside the shell, so I’ve updated the post to reflect this as it’s a far neater solution.

Ok, I couldn’t resist the challenge after Hubert blogged about my pop-before-smtp script, so here’s my rather ugly shell version. Sadly, I’m lousy at sorting out shell escaping so as well as the shell script there is also a sed script that does the log file filtering: please feel free to alter things to work in one shell script – the code is mine, but do with it what you will, as it doesn’t really have much to it in the end (click on the filenames to get the source).

block.sh:

#!/bin/sh
  
# Block unauthorised login attempts using only system tools
# Inspired by Hubert Freyer's 'challenge' to write a script that just used
# tail to do the work
# (c) Ian Spray and Hubert Fyerer, 2006
  
# Use it for what you will: no restrictions, and no warranty
  
TAIL=/usr/bin/tail
SED=/usr/bin/sed
IPF=/sbin/ipf
CMD_PERM='/usr/bin/tee -a /etc/ipf.conf | '
LOG_FILE='/var/log/authlog'
SED_PAT=ip.sed
  
# uncomment the following line if you want bans to be temporary
# CMD_PERM=''
  
${TAIL} -F ${LOG_FILE} | while read LOG_LINE
do
	echo ${LOG_LINE} 
	| ${SED} 
		-e '/127\.0\.0\.1/d'  \
		-e '/192\.168\.0\./d' \
		-e '/Failed password .* from/!d' \
		-e 's/.*Failed password .* from \([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3}\).*/block in log quick from \1.\2.\3.\4 to any/' \
	| ${CMD_PERM} ${IPF} -A -f -
done

Note the two main features are the -F in the tail to ensure that log rotations don’t kill the script (check your version if porting outside of NetBSD) and the while loop is to prevent sed from block buffering the log file data. The very long line that performs the actual cutting of the IP address doesn’t fit well on the web, so grab the source if you want to read it easily.

Note that you ought to replace your own LAN subnet (and trusted external site ?) at the start of the sed script to prevent unfortunate accidents, and that the text has been broken to try and fit it more cleanly on the web page: download the file for the correct source code.

If an annotated version of these is desired, then let me know and I’ll explain as much of it as I can remember 🙂

The original downloads are: old_block.sh and ip.sed

← Newer (OS X 10.4.4 and Canon EOS 350D RAW files)

(fun with pop-before-smtp and ipf on netbsd) Older →