jreyes1108/unauthorized ssh attempts

## unauthorized ssh attempts
#!/bin/sh
(
#whitelist="127.0.0.1 192.168.110.1 `host test.net.com | sed -e 's/[^0-9]*//'`"
whitelist="127.0.0.1"

sed -e '/sshd\[[0-9]*\]: Failed password/!d' \
        -e 's/.*Failed password for.*from //' \
        -e 's/ port.*//' /var/log/secure.log | sort | uniq -c | \
while read info; do
    set -- $info
    count=$1
    host=$2
    whitelisted=0

    host=`echo $host | sed -e 's/::ffff://'`
    usernames=`sed -e '/sshd\[[0-9]*\]: Failed password.*from.*'$host'/!d' -e 's/.*Failed password for //' -e 's/invalid user //' -e 's/ from .*//' /var/log/secure.log | sort -u `

    for white in $whitelist ; do
            if [ "$white" = "$host" ] ; then
                    whitelisted=1
            fi
    done

    if [ "$whitelisted" = "1" ] ; then
            echo "$count attempts from WHITELISTED $host"
    elif grep -q "ALL:$host" /etc/hosts.deny ; then
            echo "$host is blacklisted $count attempts recorded"
    else
            echo "$count attempts from $host"
            if [ "$count" -gt "8" ] ; then
            ################### action for ip using ssh
                cd /tmp
                echo "Sending SSH complaint on $host"
                echo "Getting email addresses"
                emails="`host $host | awk '{print $NF}'`"
                list='admin@net.com'
                        echo "Sending email"
                        cat <<EOT |mailx -s "Escessive SSH attempts from $host" "$list"
                Received roughly $count
                attempts to login via the SSH protocol from $host
                using names: $usernames
EOT

                if grep "^ALL:$host\$" /etc/hosts.deny ; then
                        echo "Already in blocked list"
                else
                        echo "Adding $host to blocked list"
                        echo "ALL:$host" >>/etc/hosts.deny
                fi
            ################### end action
            else
                echo "     WARNING: $host is not blacklisted"
            fi
    fi
done ) > /Users/admin/logs/ssh_complaints.log
	#!/bin/sh
	(
	#whitelist="127.0.0.1 192.168.110.1 `host test.net.com \| sed -e 's/[^0-9]*//'`"
	whitelist="127.0.0.1"

	sed -e '/sshd\[[0-9]*\]: Failed password/!d' \
	-e 's/.Failed password for.from //' \
	-e 's/ port.*//' /var/log/secure.log \| sort \| uniq -c \| \
	while read info; do
	set -- $info
	count=$1
	host=$2
	whitelisted=0

	host=`echo $host \| sed -e 's/::ffff://'`
	usernames=`sed -e '/sshd\[[0-9]\]: Failed password.from.'$host'/!d' -e 's/.Failed password for //' -e 's/invalid user //' -e 's/ from .*//' /var/log/secure.log \| sort -u `

	for white in $whitelist ; do
	if [ "$white" = "$host" ] ; then
	whitelisted=1
	fi
	done

	if [ "$whitelisted" = "1" ] ; then
	echo "$count attempts from WHITELISTED $host"
	elif grep -q "ALL:$host" /etc/hosts.deny ; then
	echo "$host is blacklisted $count attempts recorded"
	else
	echo "$count attempts from $host"
	if [ "$count" -gt "8" ] ; then
	################### action for ip using ssh
	cd /tmp
	echo "Sending SSH complaint on $host"
	echo "Getting email addresses"
	emails="`host $host \| awk '{print $NF}'`"
	list='admin@net.com'
	echo "Sending email"
	cat <<EOT \|mailx -s "Escessive SSH attempts from $host" "$list"
	Received roughly $count
	attempts to login via the SSH protocol from $host
	using names: $usernames
	EOT

	if grep "^ALL:$host\$" /etc/hosts.deny ; then
	echo "Already in blocked list"
	else
	echo "Adding $host to blocked list"
	echo "ALL:$host" >>/etc/hosts.deny
	fi
	################### end action
	else
	echo " WARNING: $host is not blacklisted"
	fi
	fi
	done ) > /Users/admin/logs/ssh_complaints.log