R41D3NN/UnauthorizedSshAttemptLogger.sh

## UnauthorizedSshAttemptLogger.sh
#!/bin/sh
LOG_FILE=/var/log/ssh_complaints.log
AUTH_LOG=/var/log/auth.log
HOSTS_DENY=/etc/hosts.deny
MAX_ATTEMPTS=8

(
#WHITELIST="127.0.0.1 192.168.110.1 `host test.net.com | sed -e 's/[^0-9]*//'`"
WHITELIST="127.0.0.1"

sed -e '/sshd\[[0-9]*\]: Failed password/!d' \
        -e 's/.*Failed password for.*from //' \
        -e 's/ port.*//' $AUTH_LOG | sort | uniq -c | \
while read INFO; do
    set -- $INFO
    COUNT=$1
    HOST=$2
    WHITE_LISTED=0

    HOST=`echo $HOST | sed -e 's/::ffff://'`
    USERNAMES=`sed -e '/sshd\[[0-9]*\]: Failed password.*from.*'$HOST'/!d' -e 's/.*Failed password for //' -e 's/invalid user //' -e 's/ from .*//' $AUTH_LOG | sort -u `

    for WHITE in $WHITELIST ; do
            if [ "$WHITE" = "$HOST" ] ; then
                    WHITE_LISTED=1
            fi
    done

    if [ "$WHITE_LISTED" = "1" ] ; then
            echo "$COUNT attempts from WHITELISTED $HOST"
    elif grep -q "ALL:$HOST" $HOSTS_DENY ; then
            echo "$HOST is blacklisted $COUNT attempts recorded"
    else
            echo "$COUNT attempts from $HOST"
            if [ "$COUNT" -gt "$MAX_ATTEMPTS" ] ; then
                echo "Escessive SSH attempts from $HOST"
                echo "Received roughly $COUNT attempts to login via the SSH protocol from $host using names: $USERNA$

                if grep "^ALL:$HOST\$" $HOSTS_DENY ; then
                        echo "Already in blocked list"
                else
                        echo "Adding $HOST to blocked list"
                        echo "ALL:$HOST" >> $HOSTS_DENY
                fi
            else
                echo "     WARNING: $HOST is not blacklisted"
            fi
    fi
done ) > $LOG_FILE
	#!/bin/sh
	LOG_FILE=/var/log/ssh_complaints.log
	AUTH_LOG=/var/log/auth.log
	HOSTS_DENY=/etc/hosts.deny
	MAX_ATTEMPTS=8

	(
	#WHITELIST="127.0.0.1 192.168.110.1 `host test.net.com \| sed -e 's/[^0-9]*//'`"
	WHITELIST="127.0.0.1"

	sed -e '/sshd\[[0-9]*\]: Failed password/!d' \
	-e 's/.Failed password for.from //' \
	-e 's/ port.*//' $AUTH_LOG \| sort \| uniq -c \| \
	while read INFO; do
	set -- $INFO
	COUNT=$1
	HOST=$2
	WHITE_LISTED=0

	HOST=`echo $HOST \| sed -e 's/::ffff://'`
	USERNAMES=`sed -e '/sshd\[[0-9]\]: Failed password.from.'$HOST'/!d' -e 's/.Failed password for //' -e 's/invalid user //' -e 's/ from .*//' $AUTH_LOG \| sort -u `

	for WHITE in $WHITELIST ; do
	if [ "$WHITE" = "$HOST" ] ; then
	WHITE_LISTED=1
	fi
	done

	if [ "$WHITE_LISTED" = "1" ] ; then
	echo "$COUNT attempts from WHITELISTED $HOST"
	elif grep -q "ALL:$HOST" $HOSTS_DENY ; then
	echo "$HOST is blacklisted $COUNT attempts recorded"
	else
	echo "$COUNT attempts from $HOST"
	if [ "$COUNT" -gt "$MAX_ATTEMPTS" ] ; then
	echo "Escessive SSH attempts from $HOST"
	echo "Received roughly $COUNT attempts to login via the SSH protocol from $host using names: $USERNA$

	if grep "^ALL:$HOST\$" $HOSTS_DENY ; then
	echo "Already in blocked list"
	else
	echo "Adding $HOST to blocked list"
	echo "ALL:$HOST" >> $HOSTS_DENY
	fi
	else
	echo " WARNING: $HOST is not blacklisted"
	fi
	fi
	done ) > $LOG_FILE