#!/bin/sh #Author : Richard DEMONGEOT ( http://www.demongeot.biz ) #Goal : Send automaticly abuse after SSH Scan. #Revision : 0.1 PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" . /usr/local/scripts/sendautomaticabuse/config.sh #Generate LogWatch Rapport logwatch --print --service pam_unix --range Today --detail 10 > $MyDir"Rapport" #Check Rapport for SSH part. IFS=" " SSHPart=0 for line in `cat $MyDir"Rapport"` do echo $line | grep "Authentication Failures:" > /dev/null if [ $? -eq 0 ] then SSHPart=1 fi echo $line | grep "Sessions Opened:" > /dev/null if [ $? -eq 0 ] then SSHPart=0 fi echo $line | grep "Invalid Users:" > /dev/null if [ $? -eq 0 ] then SSHPart=0 fi if [ $SSHPart -eq 1 ] then echo $line | grep ')' > /dev/null # If it's a scan report if [ $? -eq 0 ] then echo $line | awk '{print $2" "$3}' | sed "s/(//" | sed "s/)://" >> $MyDir"Scanners" fi fi done if [ ! -f $MyDir"Scanners" ] #Si il n'y a pas de scan then exit 0 fi sort $MyDir"Scanners" > $MyDir"Scanners-sorted" Scanner="" count=0 for scan in `cat $MyDir"Scanners-sorted"` do OldScanner=$Scanner Scanner=`echo $scan | awk '{print $1}'` if [ "X"$OldScanner != "X"$Scanner ] then if [ $count -ne 0 ] then echo $OldScanner" "$count >> $MyDir"Scanners-counted" fi count=`echo $scan | awk '{print $2}'` else thiscount=`echo $scan | awk '{print $2}'` count=`expr $count + $thiscount` fi done echo $Scanner" "$count >> $MyDir"Scanners-counted" ls -l $MyDir"Scanners-counted" for abuse in `cat $MyDir"Scanners-counted"` do Treated=0 Host=`echo $abuse | awk '{print $1}'` count=`echo $abuse | awk '{print $2}'` grep $Host $OldLogFile > /tmp/Logs grep $Host $LogFile >> /tmp/Logs echo $Host | egrep -v "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.$" > /dev/null if [ $? -eq 0 ] then Host=`nslookup $Host | grep -v "#" | grep "Address:" | awk '{print $2}'` fi for line in `cat $MyDir"ListeIP.dat"` do BEGINRANGE=`echo $line | awk '{print $1}'` ENDRANGE=`echo $line | awk '{print $2}'` ABUSEMAIL=`echo $line | awk '{print $3}'` Host1=`echo $Host|cut -d '.' -f 1` BEGINRANGE1=`echo $BEGINRANGE|cut -d '.' -f 1` ENDRANGE1=`echo $ENDRANGE|cut -d '.' -f 1` if [ $Host1 -ge $BEGINRANGE1 ] && [ $Host1 -le $ENDRANGE1 ] then Host2=`echo $Host|cut -d '.' -f 2` BEGINRANGE2=`echo $BEGINRANGE|cut -d '.' -f 2` ENDRANGE2=`echo $ENDRANGE|cut -d '.' -f 2` if [ $Host2 -ge $BEGINRANGE2 ] && [ $Host2 -le $ENDRANGE2 ] then Host3=`echo $Host|cut -d '.' -f 3` BEGINRANGE3=`echo $BEGINRANGE|cut -d '.' -f 3` ENDRANGE3=`echo $ENDRANGE|cut -d '.' -f 3` if [ $Host3 -ge $BEGINRANGE3 ] && [ $Host3 -le $ENDRANGE3 ] then Host4=`echo $Host|cut -d '.' -f 4` BEGINRANGE4=`echo $BEGINRANGE|cut -d '.' -f 4` ENDRANGE4=`echo $ENDRANGE|cut -d '.' -f 4` if [ $Host4 -ge $BEGINRANGE4 ] && [ $Host4 -le $ENDRANGE4 ] then if [ $count -gt 30 ] then rm -f /tmp/plainte for linetemplate in `cat $MyDir"TMPL"` do echo $linetemplate | grep "^LOGS$" > /dev/null if [ $? -eq 0 ] then cat /tmp/Logs >> /tmp/plainte echo "" >> /tmp/plainte else echo $linetemplate | sed "s/HOST/$Host/" | sed "s/COUNT/$count/" | sed "s/TIMEZONE/$TZ/" >> /tmp/plainte echo "" >> /tmp/plainte fi done cat /tmp/plainte | mail -a "From: $MyMail" -s "Abuse - scan SSH from one of your server" $ABUSEMAIL if [ $CopyOfAbuse -eq 1 ] then cat /tmp/plainte | mail -a "From: $MyMail" -s "Contact - $ABUSEMAIL" $MyMail fi Treated=1 rm -f /tmp/plainte fi fi fi fi fi done if [ $Treated -ne 1 ] then echo $Host" "$count >> $MyDir"HostUnknow" fi done cat $MyDir"HostUnknow" | mail -a "From: $MyMail" -s "Unknown Hosts" $MyMail rm -rf $MyDir"Rapport" $MyDir"Scanners" $MyDir"Scanners-sorted" $MyDir"Scanners-counted" $MyDir"HostUnknow"