-
Notifications
You must be signed in to change notification settings - Fork 10
/
sshwatch
executable file
·133 lines (121 loc) · 2.97 KB
/
sshwatch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/sh
#
# /etc/init.d/sshwatch
#
### RedHat checkconfig
# chkconfig: 345 08 99
# description: Starts, stops sshwatch daemon \
# Intrusion Prevention System (IPS) for ssh \
# Continuously tail the system security log, \
# watching for a match on "sshd", "Failed password", \
# "Invalid user". With a match, add the source ip to \
# list and block with iptables.
#
### Debian/Ubuntu update-rc.d
### BEGIN INIT INFO
# Provides: sshwatch
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Intrusion Prevention System (IPS) for ssh
# Description: Continuously tail the system security log,
# watching for a match on "sshd", "Failed password",
# "Invalid user". With a match, add the source ip to
# list and block with iptables.
### END INIT INFO
PATH=/bin:/usr/bin:/sbin:/usr/sbin
NAME=sshwatch
DAEMON=/usr/sbin/sshwatchd
LOG=/var/log/sshwatch.log
DESC="IPS for ssh"
PIDFILE="/var/run/$NAME.pid"
DISTRO=""
if [ -f /etc/redhat-release ]; then
DISTRO=redhat
. /etc/init.d/functions
SECLOG=/var/log/secure
LOCKFILE="/var/lock/subsys/$NAME"
fi
if [ -f /etc/debian_version ]; then
DISTRO=debian
. /lib/lsb/init-functions
SECLOG=/var/log/auth.log
LOCKFILE="/var/lock/$NAME"
fi
if [ ! "$DISTRO" ]; then
echo "Unknown distro" && exit 1
fi
if [ ! -x "$DAEMON" ]; then
echo -n "$DAEMON can not execute or does not exist"
exit 1
fi
if [ ! -f "$SECLOG" ]; then
echo -n "$SECLOG does not exist."
exit 1
fi
RETVAL=""
start() {
echo -n "Starting $DESC: "
case "$DISTRO" in
redhat) $DAEMON $SECLOG >>$LOG 2>&1 & ;;
debian) start-stop-daemon --start --exec $DAEMON -- $SECLOG >>$LOG 2>&1 & ;;
esac
RETVAL=$? && echo $! >$PIDFILE
return $RETVAL
}
stop() {
echo -n "Stopping $NAME: "
case "$DISTRO" in
redhat) killproc -p $PIDFILE $DAEMON ;;
debian) start-stop-daemon --stop --oknodo --pidfile /var/run/$NAME.pid ;;
esac
RETVAL=$?
return $RETVAL
}
status() {
STATUS=0
if [ -s "$PIDFILE" ]; then
STATUS=1
PID=$(cat "$PIDFILE")
if ps -p $PID >/dev/null 2>&1
then
echo "$NAME running PID: $PID." && exit 1
else
echo "$NAME NOT running, but $PIDFILE exits!" && exit 1
fi
fi
return $STATUS
}
case "$1" in
start)
status
start
if [ $RETVAL -eq 0 ]; then
touch $LOCKFILE
case "$DISTRO" in
redhat) success; echo ;;
debian) log_end_msg $RETVAL ;;
esac
fi
;;
stop)
stop
if [ $RETVAL -eq 0 ]; then
rm -f $LOCKFILE && rm -f $PIDFILE
case "$DISTRO" in
redhat) echo ;;
debian) log_end_msg $RETVAL ;;
esac
fi
;;
status)
status
if [ "$STATUS" -eq 0 ]; then
echo "$NAME not running."
fi
;;
*)
echo $"Usage: $0 {start|stop|status}"
exit 1
esac