#!/bin/bash
#ssh_brute_finder - try and detect ssh brute force attempts
#                   and if they have been successful
# Copyright Brian Brazil <bbrazil@netsoc.tcd.ie> 2005
# http://www.netsoc.tcd.ie/~bbrazil/code/brmon
# $Id: ssh_brute_finder,v 1.1 2005/12/26 17:17:27 bbrazil Exp $
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; version 2 of the License.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

LOG='/var/log/sshd.log.1'
THRESHOLD1=20	#Score that a sinlge IP must have to be classified as an attacker
THRESHOLD2=10	#Attacks against a single account

#NB: for this to work you MUST have 'LogLevel VERBOSE' in your sshd_config

case "$OSTYPE" in
'solaris')
	GAWK=/opt/csw/bin/gawk
	LOG="cat $LOG"
	;;
'linux-gnu')
	GAWK=/usr/bin/gawk
	#syslog has 3 less fields on Linux than solaris
	LOG="sed -e s/^/x\tx\tx\t/ $LOG"
	;;
*)
	GAWK=gawk
	LOG="sed -e s/^/x\tx\tx\t/ $LOG"
	;;
esac

OUT=`$LOG | $GAWK '
	/sshd.*(Invalid|Illegal) user [^ ]+ from /{
		#ip
		ip=$13;
		invalid[ip]+=1;attack[ip]+=2;
	}
	/sshd.*Failed [^ ]+ for [^ ]+ from/{
		#12=user,14=ip
		user_fail[$12]+=1;
		failed[$14]+=1;attack[$14]+=1;
	}
	/sshd.*Accepted/{
		#ip username
		login[$14,$12]+=1;
		user_success[$12]+=1;
	}
	END{	
		for(x in attack){
			if(attack[x]>='$THRESHOLD1'){
				print x " has "failed[x]+0" failed and "invalid[x]+0" invalid login attempts";
				#See if they had a success
				for(combined in login){
					split(combined, var, SUBSEP);
					if(var[1]==x){
						print x " possibly cracked " var[2];
					}
				}
			}
		}
		for(x in user_fail){
			if(user_fail[x]>='$THRESHOLD2'){
				print user_fail[x] " login failures and " user_success[x]+0 " successes for " x ". Attempted brute force?";
			}
		}
	}
'`

#Exit if there's no output
[ -z "$OUT" ] && exit 0

mail -s "$HOSTNAME: SSH brute force attempts" root << EOF

Warning - possible ssh brute force attempts

$OUT

EOF