Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: RE: SSH Bruteforce blocking script

RE: SSH Bruteforce blocking script

From: Michael L Benjamin <mike.benjamin_at_clarinet.com.au>
Date: Fri, 2 Sep 2005 16:36:39 +0800

Hmm even that is no good.

I would also suggest chown root.root ${TMP_FILE} in there too after chmod. In case a user
is attempting to insert a change during the tiny window in which the file is about to be clobbered.

Sorry for wasting bandwidth but for the sake of correctness, I think it's the right thing to do.

Cheers, Mike.

-----Original Message-----
From: full-disclosure-bounces_at_lists.grok.org.uk [mailto:full-disclosure-bounces_at_lists.grok.org.uk] On Behalf Of Michael L Benjamin
Sent: Friday, September 02, 2005 04:31 PM
To: full-disclosure_at_lists.grok.org.uk
Subject: RE: [Full-disclosure] SSH Bruteforce blocking script

 

Ok, well spotted. Something for me to fix there.

Here you go, add these lines to the script just after the touch:

chmod 700 ${TMP_FILE}
> ${TMP_FILE}

My apologies, that is a no-no and something I should have spotted.

I originally thought about doing this with arrays in memory. I might go back to that later.

Thanks for your input.

Cheers, Mike.

-----Original Message-----
From: full-disclosure-bounces_at_lists.grok.org.uk [mailto:full-disclosure-bounces_at_lists.grok.org.uk] On Behalf Of Alejandro Barrera
Sent: Friday, September 02, 2005 04:04 PM
To: full-disclosure_at_lists.grok.org.uk
Subject: Re: [Full-disclosure] SSH Bruteforce blocking script

Well, we apreciate your script although I would preffer to stay with my nice bruteforcing attempts than to create an insecure temporary file bug:

ergosum_at_sparta:~$ cat test.sh
#!/bin/sh

SCRIPT_NAME=$(basename $0)
TMP_FILE="/tmp/${SCRIPT_NAME}.$$"

touch ${TMP_FILE}
echo "pwn3d" > ${TMP_FILE}
exit
ergosum_at_sparta:~$ cat data
pr0n g0ld collection: ....

ergosum_at_sparta:~$ ln -s /home/ergosum/data /tmp/test.sh.18359 ergosum_at_sparta:~$ ln -s /home/ergosum/data /tmp/test.sh.18361 ergosum_at_sparta:~$ ln -s /home/ergosum/data /tmp/test.sh.18362 ergosum_at_sparta:~$ ./test.sh ergosum_at_sparta:~$ cat data pwn3d

> #!/bin/ksh
> #
> # ssh_brute_blocker
> #
> # 05/07/2004 15:05 - Michael L. Benjamin #
 
> SCRIPT_NAME=$(basename $0)
> LOG_FILE="/var/log/secure"
> DENY_FILE="/etc/hosts.deny"
> TMP_FILE="/tmp/${SCRIPT_NAME}.$$"
> INBOUND_IP=""
> INLINE=""
> GUESS_COUNT=0
> PERMIT_GUESS=4
 
> touch ${TMP_FILE}
 
> while :
> do
 
> tail -10000 ${LOG_FILE} | grep "Failed password for illegal user" |
> awk -F"from" {'print $2'} | awk {'print $1'} | uniq > ${TMP_FILE}

 
 
  

--
Alejandro Barrera García-Orea
R&D Engineer
c/ Alcala 268 28027 Madrid
Office: +34 91 326 66 11
Fax: +34 91 326 66 11
e-mail: abarrera_at_iron-gate.net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Sep 02 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]