R41D3NN R41D3NN

## gist:2791731
<meta name="pinterest" content="nopin" />

## LoginAttemptLogger.sh
#!/bin/bash
AUTH_LOG=/var/log/auth.log
LOG_FILE=/var/log/login-attempts.txt
IP_ADDR_REGEX='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\s'

cat $AUTH_LOG | grep -o $IP_ADDR_REGEX | sort | uniq >> $LOG_FILE
cat $LOG_FILE | sort | uniq > $LOG_FILE.tmp
mv -f $LOG_FILE.tmp $LOG_FILE

## UnauthorizedLoginAttemptLogger.sh
#!/bin/bash
AUTH_LOG=/var/log/auth.log
LOG_FILE=/var/log/unauthorized-login-attempts.txt
IP_ADDR_REGEX='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\s'

cat $AUTH_LOG | grep 'authentication failure' | grep -o $IP_ADDR_REGEX | sort | uniq >> $LOG_FILE
cat $LOG_FILE | sort | uniq > $LOG_FILE.tmp
mv -f $LOG_FILE.tmp $LOG_FILE

## UnauthorizedSshAttemptLogger.sh
#!/bin/sh
LOG_FILE=/var/log/ssh_complaints.log
AUTH_LOG=/var/log/auth.log
HOSTS_DENY=/etc/hosts.deny
MAX_ATTEMPTS=8

(
#WHITELIST="127.0.0.1 192.168.110.1 `host test.net.com | sed -e 's/[^0-9]*//'`"
WHITELIST="127.0.0.1"

## get-ipinfo.js
var GetIpInfo = function(ipAddr) {
    var info = null;
    var infoUrl = "http://ipinfo.io/" + ipAddr;
    $.ajax({
        url: infoUrl,
        type: 'GET',
        dataType: 'json',
        async: false,
        success: function(data) {
            info = data;

## convert_sha1_hostkey_digest_base64_to_hex.sh
awk '{$print $2}' id_xxx.pub | openssl base64 -d -A | openssl sha1

## ApplyWindowsEventLogPermissions.ps1
$username = "IIS APPPOOL\Identity"

Function Set-PermissionsForEventLogSecurity($username)
{
    $registryKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security"
    $acl = Get-Acl $registryKeyPath
    $inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
    $propagation = [System.Security.AccessControl.PropagationFlags]"None"
    $registryRights = [System.Security.AccessControl.RegistryRights]"QueryValue",
        [System.Security.AccessControl.RegistryRights]"EnumerateSubKeys",

## Remove-HyperVPXEBoot.psm1
Function Remove-HyperVPXEBoot {
    <#
    .Synopsis
        Remove the PXE boot sequence from a Hyper-V virtual machine.

    .PARAMETER ComputerName
        The name of the Hyper-V computer where the targeted VM is hosted.

    .PARAMETER VMName
        The name of the Hyper-V virtual machine to remove PXE boot from.

## Discovery--Computers-and-Total-Local-Accounts.sql
SELECT
	[ou].[DistinguishedName] AS 'OU DN',
	[c].[ComputerName],
	COUNT([ca].[ComputerId]) AS 'Total Local Accounts',
	[CB].[Success],
	[CB].[LastErrorMessage]
FROM [tbComputer] [c]
JOIN [tbOrganizationUnit] [ou] ON [c].[OrganizationUnitId] = [ou].[OrganizationUnitId]
LEFT JOIN (SELECT * FROM [tbComputerAccount] [ca] WHERE [ca].[ComputerId] IS NOT NULL) [ca] ON [c].[ComputerId] = [ca].[ComputerId]
CROSS APPLY

## Hyper-V--Create-Internal-NAT-Switch.ps1
$switchName = "my.local"
New-VMSwitch -SwitchName $switchName -SwitchType Internal
$netAdapter = Get-NetAdapter | Where -Property Name -Eq "vEthernet ($switchName)"
New-NetIPAddress -IPAddress 10.0.0.1 -PrefixLength 24 -InterfaceIndex $netAdapter.ifIndex
New-NetNat -Name "$switchName-NAT" -InternalIPInterfaceAddressPrefix 10.0.0.0/24
	#!/bin/bash
	AUTH_LOG=/var/log/auth.log
	LOG_FILE=/var/log/login-attempts.txt
	IP_ADDR_REGEX='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\s'

	cat $AUTH_LOG \| grep -o $IP_ADDR_REGEX \| sort \| uniq >> $LOG_FILE
	cat $LOG_FILE \| sort \| uniq > $LOG_FILE.tmp
	mv -f $LOG_FILE.tmp $LOG_FILE
	#!/bin/bash
	AUTH_LOG=/var/log/auth.log
	LOG_FILE=/var/log/unauthorized-login-attempts.txt
	IP_ADDR_REGEX='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\s'

	cat $AUTH_LOG \| grep 'authentication failure' \| grep -o $IP_ADDR_REGEX \| sort \| uniq >> $LOG_FILE
	cat $LOG_FILE \| sort \| uniq > $LOG_FILE.tmp
	mv -f $LOG_FILE.tmp $LOG_FILE
	#!/bin/sh
	LOG_FILE=/var/log/ssh_complaints.log
	AUTH_LOG=/var/log/auth.log
	HOSTS_DENY=/etc/hosts.deny
	MAX_ATTEMPTS=8

	(
	#WHITELIST="127.0.0.1 192.168.110.1 `host test.net.com \| sed -e 's/[^0-9]*//'`"
	WHITELIST="127.0.0.1"
	var GetIpInfo = function(ipAddr) {
	var info = null;
	var infoUrl = "http://ipinfo.io/" + ipAddr;
	$.ajax({
	url: infoUrl,
	type: 'GET',
	dataType: 'json',
	async: false,
	success: function(data) {
	info = data;
	$username = "IIS APPPOOL\Identity"

	Function Set-PermissionsForEventLogSecurity($username)
	{
	$registryKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security"
	$acl = Get-Acl $registryKeyPath
	$inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
	$propagation = [System.Security.AccessControl.PropagationFlags]"None"
	$registryRights = [System.Security.AccessControl.RegistryRights]"QueryValue",
	[System.Security.AccessControl.RegistryRights]"EnumerateSubKeys",
	SELECT
	[ou].[DistinguishedName] AS 'OU DN',
	[c].[ComputerName],
	COUNT([ca].[ComputerId]) AS 'Total Local Accounts',
	[CB].[Success],
	[CB].[LastErrorMessage]
	FROM [tbComputer] [c]
	JOIN [tbOrganizationUnit] [ou] ON [c].[OrganizationUnitId] = [ou].[OrganizationUnitId]
	LEFT JOIN (SELECT * FROM [tbComputerAccount] [ca] WHERE [ca].[ComputerId] IS NOT NULL) [ca] ON [c].[ComputerId] = [ca].[ComputerId]
	CROSS APPLY
	$switchName = "my.local"
	New-VMSwitch -SwitchName $switchName -SwitchType Internal
	$netAdapter = Get-NetAdapter \| Where -Property Name -Eq "vEthernet ($switchName)"
	New-NetIPAddress -IPAddress 10.0.0.1 -PrefixLength 24 -InterfaceIndex $netAdapter.ifIndex
	New-NetNat -Name "$switchName-NAT" -InternalIPInterfaceAddressPrefix 10.0.0.0/24