maxwellb/README

## README
ssh-fails.sh
------------

Greps the journal from the SSH service to report failed attempts to access SSH. This information can be used to apply filtering policies. Examples follow.

root@war:~# ./ssh-fails.sh 2d top 10
  17534 42.7.26.60
   2933 123.183.209.135
   2436 116.31.116.11
    167 211.140.199.244
    138 5.101.40.10
    109 117.34.117.168
     69 91.197.232.103
     44 92.87.236.69
     35 181.21.135.244
     29 103.207.39.247


root@war:~# ./ssh-fails.sh 2w top 3
  28658 42.7.26.60
   6034 123.183.209.135
   5393 58.242.83.21


root@war:~# ./ssh-fails.sh summary
SSH Failure Summary for last 2d
Generated 2017-08-07T21:08-0400

 count       ip-address ZEN XBL
------ ---------------- --- ---
 17491       42.7.26.60   y   n
  2938  123.183.209.135   y   n
  2436    116.31.116.11   y   n
   167  211.140.199.244   y   y
   138      5.101.40.10   y   y
   109   117.34.117.168   n   n
    69   91.197.232.103   y   y
    44     92.87.236.69   y   y
    35   181.21.135.244   y   y
    29   103.207.39.247   n   n
    23    181.23.23.131   y   y
    20   116.236.128.62   y   y
     7     97.79.211.38   y   y
     7   95.211.198.253   n   n
     7   93.118.171.149   y   y
     7   91.204.179.166   y   y
     7     83.144.70.10   y   y
     7      76.1.241.35   y   y
     7    64.66.226.161   y   y
     7   45.119.155.117   y   y


root@war:~# ./ssh-fails.sh summary 7d top 4
SSH Failure Summary for last 7d
Generated 2017-08-07T21:10-0400

 count       ip-address ZEN XBL
------ ---------------- --- ---
 28658       42.7.26.60   y   n
  6037  123.183.209.135   y   n
  5393     58.242.83.21   y   n
  5316    116.31.116.11   y   n


## ssh-fails.sh
#!/usr/bin/env bash

# Copyright (c) 2017 Maxwell Bloch, All rights reserved.
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

# Use of DNS blacklist queries is subject to applicable terms of use.

SINCE="${1:-2d}"
if [ "$SINCE" = "summary" ]; then
  SINCE="2d"
fi

fails() {
  journalctl -u ssh.service --since="-${SINCE}" \
    | grep -i fail \
    | egrep 'from ([^ ]+)' \
    | grep -v "Read from socket failed" \
    | sed -r -e 's!(.{15}).*: (Disconnecting: )?(.*) for (invalid user )?([^ ]*) from ([^ ]+).*!\6,\1,\4\5,\3!' \
             -e 's!(.{15}).*: (.*) from ([^:]+).*: (.*)!\3,\1,,\4!' \
    | sort -t , -k 1V
}

topfails() {
  TOP="${1:-20}"
  fails | cut -d, -f1 | uniq -c | sort -rg | head -n $TOP
}

checklist() {
  ip=$1
  list=${2:-zen}
  rev=`echo $ip | awk 'BEGIN { FS="." ; OFS="." } { print $4,$3,$2,$1 }'`
  nslookup ${rev}.${list}.spamhaus.org >/dev/null && echo y || echo n
}

if [ "$1" = "summary" ]; then
  SINCE=${2:-$SINCE}
  if [ "$3" = "top" ]; then
    TOP="${4:-20}"
  fi

  echo "SSH Failure Summary for last $SINCE"
  echo "Generated `date -Im`"
  echo ""
  echo     " count       ip-address ZEN XBL"
  echo     "------ ---------------- --- ---"

  topfails $TOP | while read c i; do
    zen=`checklist $i zen`
    xbl=`checklist $i xbl`
    printf "%   6d %            16s %3s %3s\n" \
      $c $i $zen $xbl
  done
  echo ""
elif [ "$2" = "top" ]; then
  topfails $3
else
  fails
fi
	ssh-fails.sh
	------------

	Greps the journal from the SSH service to report failed attempts to access SSH. This information can be used to apply filtering policies. Examples follow.

	root@war:~# ./ssh-fails.sh 2d top 10
	17534 42.7.26.60
	2933 123.183.209.135
	2436 116.31.116.11
	167 211.140.199.244
	138 5.101.40.10
	109 117.34.117.168
	69 91.197.232.103
	44 92.87.236.69
	35 181.21.135.244
	29 103.207.39.247


	root@war:~# ./ssh-fails.sh 2w top 3
	28658 42.7.26.60
	6034 123.183.209.135
	5393 58.242.83.21


	root@war:~# ./ssh-fails.sh summary
	SSH Failure Summary for last 2d
	Generated 2017-08-07T21:08-0400

	count ip-address ZEN XBL
	------ ---------------- --- ---
	17491 42.7.26.60 y n
	2938 123.183.209.135 y n
	2436 116.31.116.11 y n
	167 211.140.199.244 y y
	138 5.101.40.10 y y
	109 117.34.117.168 n n
	69 91.197.232.103 y y
	44 92.87.236.69 y y
	35 181.21.135.244 y y
	29 103.207.39.247 n n
	23 181.23.23.131 y y
	20 116.236.128.62 y y
	7 97.79.211.38 y y
	7 95.211.198.253 n n
	7 93.118.171.149 y y
	7 91.204.179.166 y y
	7 83.144.70.10 y y
	7 76.1.241.35 y y
	7 64.66.226.161 y y
	7 45.119.155.117 y y


	root@war:~# ./ssh-fails.sh summary 7d top 4
	SSH Failure Summary for last 7d
	Generated 2017-08-07T21:10-0400

	count ip-address ZEN XBL
	------ ---------------- --- ---
	28658 42.7.26.60 y n
	6037 123.183.209.135 y n
	5393 58.242.83.21 y n
	5316 116.31.116.11 y n
	#!/usr/bin/env bash

	# Copyright (c) 2017 Maxwell Bloch, All rights reserved.
	# This Source Code Form is subject to the terms of the Mozilla Public
	# License, v. 2.0. If a copy of the MPL was not distributed with this
	# file, You can obtain one at http://mozilla.org/MPL/2.0/.

	# Use of DNS blacklist queries is subject to applicable terms of use.

	SINCE="${1:-2d}"
	if [ "$SINCE" = "summary" ]; then
	SINCE="2d"
	fi

	fails() {
	journalctl -u ssh.service --since="-${SINCE}" \
	\| grep -i fail \
	\| egrep 'from ([^ ]+)' \
	\| grep -v "Read from socket failed" \
	\| sed -r -e 's!(.{15}).: (Disconnecting: )?(.) for (invalid user )?([^ ]) from ([^ ]+).!\6,\1,\4\5,\3!' \
	-e 's!(.{15}).: (.) from ([^:]+).: (.)!\3,\1,,\4!' \
	\| sort -t , -k 1V
	}

	topfails() {
	TOP="${1:-20}"
	fails \| cut -d, -f1 \| uniq -c \| sort -rg \| head -n $TOP
	}

	checklist() {
	ip=$1
	list=${2:-zen}
	rev=`echo $ip \| awk 'BEGIN { FS="." ; OFS="." } { print $4,$3,$2,$1 }'`
	nslookup ${rev}.${list}.spamhaus.org >/dev/null && echo y \|\| echo n
	}

	if [ "$1" = "summary" ]; then
	SINCE=${2:-$SINCE}
	if [ "$3" = "top" ]; then
	TOP="${4:-20}"
	fi

	echo "SSH Failure Summary for last $SINCE"
	echo "Generated `date -Im`"
	echo ""
	echo " count ip-address ZEN XBL"
	echo "------ ---------------- --- ---"

	topfails $TOP \| while read c i; do
	zen=`checklist $i zen`
	xbl=`checklist $i xbl`
	printf "% 6d % 16s %3s %3s\n" \
	$c $i $zen $xbl
	done
	echo ""
	elif [ "$2" = "top" ]; then
	topfails $3
	else
	fails
	fi