--- /dev/null
+#!/usr/bin/perl
+
+use Socket;
+
+#
+# Storage
+#
+
+my %addresses;
+
+#
+# Functions
+#
+
+sub LookupIP($)
+{
+ my $ip = shift;
+ $name = $addresses{$ip};
+ return "$name [$ip]" if defined $name;
+ ($a1, $a2, $a3, $a4) = split /\./, $ip;
+ $name = gethostbyaddr(inet_aton($ip), AF_INET);
+ if ($name)
+ {
+ $addresses{$ip} = $name;
+ return "$name [$ip]";
+ }
+ else
+ {
+ return $ip;
+ }
+}
+
+sub SortIPAddresses
+{
+ ($a1, $a2, $a3, $a4) = split /\./, $a;
+ ($b1, $b2, $b3, $b4) = split /\./, $b;
+ ($a1 <=> $b1) || ($a2 <=> $b2) || ($a3 <=> $b3) || ($a4 <=> $b4);
+}
+
+#
+# Main
+#
+
+$detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};
+
+while (defined($line = <STDIN>))
+{
+ chomp($line);
+
+ if ($line =~ /Performing periodic check of blocked IPs list\./)
+ {
+ $periodicChecks++;
+ }
+ elsif ($line =~ /Bansshee startup\./)
+ {
+ $startups++;
+ }
+ elsif ($line =~ /Failed password attempt for user/)
+ {
+ $failedPasswords++;
+ }
+ elsif ($line =~ /Attempted connection with illegal user/)
+ {
+ $illegalUsers++;
+ }
+ elsif ($line =~ /Adding IP (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) to blocklist\./)
+ {
+ $additions{$1} += 1;
+ }
+ elsif ($line =~ /Removing IP (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) from blocklist\./)
+ {
+ $removals{$1} += 1;
+ }
+ elsif (($line =~ /Reading config file/) ||
+ ($line =~ /Daemonizing\./) ||
+ ($line =~ /Creating new BANSSHEE iptables chain\./) ||
+ ($line =~ /Appending JUMP rule \(redirects all SSH traffic to BANSSHEE chain\)\./) ||
+ ($line =~ /Tailing log:/) ||
+ ($line =~ /Removing JUMP rule from INPUT chain\./) ||
+ ($line =~ /Flushing BANSSHEE iptables chain\./) ||
+ ($line =~ /Deleting BANSSHEE iptables chain\./))
+ {
+ # ignore
+ }
+ else
+ {
+ push @unmatchedEntries, "$line\n";
+ }
+}
+
+if (($startups > 0) && ($detail >= 5))
+{
+ print "\nStart-ups: $startups time(s).\n";
+}
+
+if (($periodicChecks > 0) && ($detail >= 10))
+{
+ print "\nPeriodic checks: $periodicChecks time(s).\n";
+}
+
+if ($failedPasswords > 0)
+{
+ print "\nFailed password attempts: $failedPasswords time(s).\n";
+}
+
+if ($illegalUsers > 0)
+{
+ print "\nIllegal user attempts: $illegalUsers time(s).\n";
+}
+
+if (keys %additions)
+{
+ print "\nIPs added to blocklist:\n";
+ foreach $ip (sort { SortIPAddresses } keys %additions)
+ {
+ $host = LookupIP($ip);
+ print " $host : $additions{$ip} time(s).\n";
+ }
+}
+
+if (keys %removalss)
+{
+ print "\nIPs removed from blocklist:\n";
+ foreach $ip (sort { SortIPAddresses } keys %additions)
+ {
+ $host = LookupIP($ip);
+ print " $host : $additions{$ip} time(s).\n";
+ }
+}
+
+if ($#unmatchedEntries > 0)
+{
+ print "\n**Unmatched Entries**\n";
+ print @unmatchedEntries;
+}
+
+exit(0);
--- /dev/null
+#! /bin/bash
+#
+# banshee This script starts and stops the bansshee anti-SSH-dictionary-attack daemon
+#
+# chkconfig: - 50 50
+# description: bansshee monitors log files to detect SSH dictionary attacks and uses the iptables firewall to block attackers.
+
+# Source function library.
+. /etc/init.d/functions
+
+RETVAL=0
+
+start()
+{
+ echo -n $"Starting banshee: "
+ daemon /usr/local/sbin/bansshee
+ RETVAL=$?
+ echo
+ [ $RETVAL -eq 0 ] && /bin/touch /var/lock/subsys/bansshee
+ return $RETVAL
+}
+
+stop()
+{
+ echo -n $"Stopping banshee: "
+ killproc bansshee
+ RETVAL=$?
+ echo
+ [ $RETVAL -eq 0 ] && /bin/rm -f /var/lock/subsys/bansshee
+ return $RETVAL
+}
+
+restart()
+{
+ stop
+ start
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ reload)
+ restart
+ ;;
+ status)
+ status bansshee
+ ;;
+ condrestart)
+ [ -f /var/lock/subsys/bansshee ] && restart
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
+ exit 1
+esac
+
+exit $?
+
git.wincent.com / bansshee.git / commitdiff
