Tsukiji Systems
RSS1.0


googleで
サイト内検索
このブログ
を検索!
  help

巻き戻し中。

2008年
7月
1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31


2008-07-20(日) 修正 [長年日記]

_ PC ssh防御ツール

改良完了。

cron止めて、手動で実験しながら。

会社のVPN経由でアタックを掛けて、状況をモニタ。

入り口が2ヶ所無いと、実験した途端にアクセス不能で終了になってしまうwww

どうやら、1時間あたりの閾値を越えるリストがおかしい。

空行を含んじゃうのね。

で、253行目をちょっと変更。

早速会社のマシンにも移植。

以下source

#!/bin/sh
#
# ssh_chk.sh By H.Uekusa 2007
# Ver 2.02 2008.7.20
# Automated defending tool for ssh attack.
# This command must be set on the cron with every minutes
###############################################################################
#
# You should set 
# $SHPATH [$TMP]/total_min_ipfw_add_cmd.txt
# $SHPATH [$TMP]/total_hour_ipfw_add_cmd.txt
# in /etc/rc.local
#
###############################################################################
 
###############################################################################
# Set variable for location of commands, Path of files...
###############################################################################
 
CATPATH="/bin/cat"
AWKPATH="/usr/bin/awk"
GREPPATH="nice -n 10 /usr/bin/grep --mmap"
DIFFPATH="/usr/bin/diff"
SORTPATH="/usr/bin/sort"
MAILPATH="/usr/bin/mail"
DATEPATH="/bin/date"
SHPATH="/bin/sh"
LOOKUP="/usr/sbin/nslookup"
AUTHLOG="/var/log/auth.log"
TMP="/var/tmp"
LOCKFILE="ssh_chk.lock"
PREV_MIN_RECORD="prev_min"
 
# Should be BSD-Firewall
IPFWPATH="/sbin/ipfw"
 
# Select to check "attempt"
CHK_IP_RESOLV="yes"
CHK_IP_MAP="yes"
 
# Set threshold
OK_PER_MIN="6"
OK_PER_HOUR="20"
 
# Set IPFW parameters
IPFW_NUM="00022"
PORT="22"
IF_NAME="fxp0"
 
# Set valid e-mail!
MAILTO="hogehoge@hoge.jp,hogehoge@docomo.ne.jp"
 
###############################################################################
 
###############################################################################
#check the lock file
###############################################################################
if [ -f "$TMP/$LOCKFILE" ];then
	echo "$0 is executing already"
	echo "Please wait for a while or remove lock file $LOCKFILE!"
	exit
fi
 
### put a lock file ###
touch $TMP/$LOCKFILE
 
###############################################################################
#
#Get date values
#
###############################################################################
NOW=`$DATEPATH +%Y%m%d%H%M`
PREV=`cat $TMP/$PREV_MIN_RECORD`
NOW_HOUR=`$DATEPATH +%Y%m%d%H`
PREV_HOUR=`$DATEPATH -v -1H +%Y%m%d%H`
 
touch $TMP/ipfw_added.txt
$SORTPATH -u $TMP/ipfw_added.txt >$TMP/ipfw_added.txt.sort
cp -p $TMP/ipfw_added.txt.sort $TMP/ipfw_added.txt
rm -f $TMP/ipfw_added.txt.sort
 
###############################################################################
#
#Get failed lines from auth log
#
###############################################################################
 
# Find a string for invalid user for FreeBSD 6.x and later
$GREPPATH Invalid $AUTHLOG > $TMP/"$NOW"_fail.txt
 
# It's old version of above for FreeBSD 4.x/5.x
# $GREPPATH Illegal $AUTHLOG > $TMP/"$NOW"_fail.txt
 
### Touch the previous file for safe ###
touch $TMP/"$PREV"_fail.txt
echo "$NOW" > $TMP/$PREV_MIN_RECORD
 
###############################################################################
#
#Compare with before one minutes
#
###############################################################################
 
$DIFFPATH $TMP/"$NOW"_fail.txt $TMP/"$PREV"_fail.txt |$GREPPATH '^<' > $TMP/diff_raw.txt
NONE_STATUS=`$GREPPATH -c ssh $TMP/diff_raw.txt`
 
###############################################################################
#
#Detect a probing of ssh from attacker (Selective)
#As same as above procedure for normal check
#
###############################################################################
 
if [ "$CHK_IP_RESOLV" = "yes" ];then
	$GREPPATH "POSSIBLE BREAK-IN ATTEMPT" $AUTHLOG |$GREPPATH "getaddrinfo"\
	 > $TMP/"$NOW"_fail-attack.txt
	touch $TMP/"$PREV"_fail-attack.txt
	$DIFFPATH $TMP/"$NOW"_fail-attack.txt $TMP/"$PREV"_fail-attack.txt \
	|$GREPPATH '^<' > $TMP/diff_raw-attack.txt
	NONE_STATUS_ATTACK=`$GREPPATH -c ssh $TMP/diff_raw-attack.txt`
else
	NONE_STATUS_ATTACK="0"
fi
 
if [ "$CHK_IP_MAP" = "yes" ];then
	$GREPPATH "POSSIBLE BREAK-IN ATTEMPT" $AUTHLOG |$GREPPATH "not map back to the address"\
	 > $TMP/"$NOW"_fail-attack2.txt
	touch $TMP/"$PREV"_fail-attack2.txt
	$DIFFPATH $TMP/"$NOW"_fail-attack2.txt $TMP/"$PREV"_fail-attack2.txt\
	 |$GREPPATH '^<' > $TMP/diff_raw-attack2.txt
	NONE_STATUS_ATTACK2=`$GREPPATH -c ssh $TMP/diff_raw-attack2.txt`
else
	NONE_STATUS_ATTACK2="0"
fi
 
###############################################################################
#
# if diff is null, skip all process and exit
#
###############################################################################
 
if [ "$NONE_STATUS" = "0" ];then
	if [ "$NONE_STATUS_ATTACK" = "0" ];then
		if [ "$NONE_STATUS_ATTACK2" = "0" ];then
			touch $TMP/"$NOW_HOUR"-summary-hour_count_list.txt
			touch $TMP/count_list.txt
			touch $TMP/count_cmd.sh
			touch $TMP/min_ipfw_add_cmd.txt
			touch $TMP/min_ipfw_add_cmd_prev.txt
			touch $TMP/ipfw_added.txt
			touch $TMP/hour_ipfw_add_cmd.txt
			touch $TMP/hour_ipfw_add_cmd_prev.txt
			touch $TMP/"$NOW_HOUR"-hour_count_list.txt
			rm -f $TMP/"$PREV_HOUR"*
			rm -f $TMP/$LOCKFILE
			exit
		fi
	fi
fi
 
###############################################################################
#
#Exec for attack suddenly
#
###############################################################################
 
###############################################################################
# For IP resolv
###############################################################################
 
if [ "$NONE_STATUS_ATTACK" != "0" ];then
	touch $TMP/min_ipfw_add_cmd-attack.txt
	cp -p $TMP/min_ipfw_add_cmd-attack.txt $TMP/min_ipfw_add_cmd_prev-attack.txt
	$CATPATH $TMP/"$NOW"_fail-attack.txt|$AWKPATH '{print $12}' | $AWKPATH -F"\]" '{print $1}' \
	| $AWKPATH -F'\[' '{print $2}' > $TMP/count_list-attack.txt
	$SORTPATH -u $TMP/count_list-attack.txt >$TMP/count_list-attack.sort.txt
        cp -p $TMP/count_list-attack.sort.txt $TMP/count_list-attack.txt
        rm -f $TMP/count_list-attack.sort.txt
	$GREPPATH -F -v -f $TMP/ipfw_added.txt $TMP/count_list-attack.txt\
	| $AWKPATH -v IPFW_NUM=`echo $IPFW_NUM` -v IF_NAME=`echo $IF_NAME` -v PORT=`echo $PORT` -v IPFWPATH=`echo $IPFWPATH` \
	'{ print IPFWPATH" add "IPFW_NUM" deny tcp from "$1"/24 to any "PORT" via "IF_NAME}' > $TMP/min_ipfw_add_cmd-attack.txt
	$DIFFPATH $TMP/min_ipfw_add_cmd_prev-attack.txt $TMP/min_ipfw_add_cmd-attack.txt|$GREPPATH '^>'
	if [ "$?" = "0" ]; then
        	$DATEPATH >> $TMP/defend-log
      		$DATEPATH >> $TMP/defend-log.time
       		$SHPATH $TMP/min_ipfw_add_cmd-attack.txt >> $TMP/defend-log
		$AWKPATH '{print $7}' $TMP/min_ipfw_add_cmd-attack.txt | $AWKPATH -v LOOKUP=`echo $LOOKUP` -F/ \
		'{print LOOKUP" "$1}' > $TMP/defend-name-log-attack.cmd
	 	$CATPATH $TMP/min_ipfw_add_cmd-attack.txt > $TMP/min_mailbody-attack.txt
		$SHPATH $TMP/defend-name-log-attack.cmd >> $TMP/min_mailbody-attack.txt
		echo "by POSSIBLE BREAK-IN ATTEMPT ip-resolv" >> $TMP/min_mailbody-attack.txt
		$MAILPATH -s "SSH attack detected by minutes" $MAILTO < $TMP/min_mailbody-attack.txt
### to keep when reboot ###
		$CATPATH $TMP/min_ipfw_add_cmd-attack.txt >> $TMP/total_min_ipfw_add_cmd.txt
### check for double ###
		$GREPPATH -F -v -f $TMP/ipfw_added.txt $TMP/count_list-attack.txt >> $TMP/ipfw_added.txt
	fi
fi
 
###############################################################################
# For IP reverse map
###############################################################################
 
if [ "$NONE_STATUS_ATTACK2" != "0" ];then
	touch $TMP/min_ipfw_add_cmd-attack2.txt
	cp -p $TMP/min_ipfw_add_cmd-attack2.txt $TMP/min_ipfw_add_cmd_prev-attack2.txt
	$CATPATH $TMP/"$NOW"_fail-attack2.txt|$AWKPATH '{print $7}' > $TMP/count_list-attack2.txt
	$SORTPATH -u $TMP/count_list-attack2.txt >$TMP/count_list-attack.sort2.txt
        cp -p $TMP/count_list-attack.sort2.txt $TMP/count_list-attack2.txt
        rm -f $TMP/count_list-attack.sort2.txt
	$GREPPATH -F -v -f $TMP/ipfw_added.txt $TMP/count_list-attack2.txt\
	| $AWKPATH -v IPFW_NUM=`echo $IPFW_NUM` -v IF_NAME=`echo $IF_NAME` -v PORT=`echo $PORT` -v IPFWPATH=`echo $IPFWPATH` \
	'{ print IPFWPATH" add "IPFW_NUM" deny tcp from "$1"/24 to any "PORT" via "IF_NAME}' \
	> $TMP/min_ipfw_add_cmd-attack2.txt
	$DIFFPATH $TMP/min_ipfw_add_cmd_prev-attack2.txt $TMP/min_ipfw_add_cmd-attack2.txt|$GREPPATH '^>'
	if [ "$?" = "0" ]; then
        	$DATEPATH >> $TMP/defend-log
      		$DATEPATH >> $TMP/defend-log.time
       		$SHPATH $TMP/min_ipfw_add_cmd-attack2.txt >> $TMP/defend-log
		$AWKPATH '{print $7}' $TMP/min_ipfw_add_cmd-attack2.txt \
		| $AWKPATH -v LOOKUP=`echo $LOOKUP` -F/ '{print LOOKUP" "$1}' > $TMP/defend-name-log-attack2.cmd
	 	$CATPATH $TMP/min_ipfw_add_cmd-attack2.txt > $TMP/min_mailbody-attack2.txt
		$SHPATH $TMP/defend-name-log-attack2.cmd >> $TMP/min_mailbody-attack2.txt
		echo "by POSSIBLE BREAK-IN ATTEMPT ip-reverse-map" >> $TMP/min_mailbody-attack2.txt
		$MAILPATH -s "SSH attack detected by minutes" $MAILTO < $TMP/min_mailbody-attack2.txt
### to keep when reboot ###
		$CATPATH $TMP/min_ipfw_add_cmd-attack2.txt >> $TMP/total_min_ipfw_add_cmd.txt
### check for double ###
		$GREPPATH -F -v -f $TMP/ipfw_added.txt $TMP/count_list-attack2.txt >> $TMP/ipfw_added.txt
	fi
fi
 
###############################################################################
#
#Count per min
#
###############################################################################
 
$SORTPATH -u +10 $TMP/diff_raw.txt \
|$AWKPATH -v TMP=`echo $TMP` '{print "echo -n \""$11" \"; grep -c "$11" "TMP"/diff_raw.txt"}' > $TMP/count_cmd.sh
$SHPATH $TMP/count_cmd.sh > $TMP/count_list.txt
 
###############################################################################
#
#Count per hour
#
###############################################################################
 
$CATPATH $TMP/count_list.txt >>$TMP/"$NOW_HOUR"-hour_count_list.txt
$SORTPATH +1 $TMP/"$NOW_HOUR"-hour_count_list.txt \
|$AWKPATH '{if ( $1 == PREV ) { ADDR = $1; COUNT = COUNT + $2; PREV = ADDR;}\
 else { ADDR = $1; print PREV" "COUNT; COUNT = $2 ; PREV = ADDR;} next} END {print $1" "COUNT}'\
|$AWKPATH '{if ($1 != NULL) {print $1}}' >$TMP/"$NOW_HOUR"-summary-hour_count_list.txt
 
###############################################################################
#
#Process with threthold
#
###############################################################################
 
touch $TMP/ipfw_added.txt
 
### minutes ###
touch $TMP/min_ipfw_add_cmd.txt
cp -p $TMP/min_ipfw_add_cmd.txt $TMP/min_ipfw_add_cmd_prev.txt
$CATPATH $TMP/count_list.txt | $AWKPATH '{print $1}' \
> $TMP/count_list-addr.txt
$GREPPATH -F -v -f $TMP/ipfw_added.txt $TMP/count_list-addr.txt \
> $TMP/count_list-new.txt
$GREPPATH -f $TMP/count_list-new.txt $TMP/count_list.txt \
| $AWKPATH -v OK_PER_MIN=`echo $OK_PER_MIN` -v IPFW_NUM=`echo $IPFW_NUM` -v IF_NAME=`echo $IF_NAME`\
 -v PORT=`echo $PORT` -v IPFWPATH=`echo $IPFWPATH` \
'{ if ( $2 > OK_PER_MIN ) {print IPFWPATH" add "IPFW_NUM" deny tcp from "$1"/24 to any "PORT" via "IF_NAME}}' \
> $TMP/min_ipfw_add_cmd.txt
 
### to keep when reboot ###
$CATPATH $TMP/min_ipfw_add_cmd.txt >> $TMP/total_min_ipfw_add_cmd.txt
 
### check for double ###
$GREPPATH -f $TMP/count_list-new.txt $TMP/count_list.txt \
| $AWKPATH -v OK_PER_MIN=`echo $OK_PER_MIN` '{ if ( $2 > OK_PER_MIN ) {print $1}}'\
 >> $TMP/ipfw_added.txt
 
### hour ###
touch $TMP/hour_ipfw_add_cmd.txt
cp -p $TMP/hour_ipfw_add_cmd.txt $TMP/hour_ipfw_add_cmd_prev.txt
$CATPATH $TMP/"$NOW_HOUR"-summary-hour_count_list.txt | $AWKPATH '{print $1}' \
> $TMP/"$NOW_HOUR"-summary-hour_count_list-addr.txt
$GREPPATH -F -v -f $TMP/ipfw_added.txt $TMP/"$NOW_HOUR"-summary-hour_count_list-addr.txt \
> $TMP/"$NOW_HOUR"-summary-hour_count_list-new.txt
$GREPPATH -f $TMP/"$NOW_HOUR"-summary-hour_count_list-new.txt $TMP/"$NOW_HOUR"-summary-hour_count_list.txt \
| $AWKPATH -v OK_PER_HOUR=`echo $OK_PER_HOUR` -v IPFW_NUM=`echo $IPFW_NUM` -v IF_NAME=`echo $IF_NAME` \
-v PORT=`echo $PORT` -v IPFWPATH=`echo $IPFWPATH` \
'{ if ( $2 > OK_PER_HOUR ) {print IPFWPATH" add "IPFW_NUM" deny tcp from "$1"/24 to any "PORT" via "IF_NAME}}' \
> $TMP/hour_ipfw_add_cmd.txt
 
### to keep when reboot ###
$CATPATH $TMP/hour_ipfw_add_cmd.txt >> $TMP/total_hour_ipfw_add_cmd.txt
 
### check for double ###
$GREPPATH -f $TMP/"$NOW_HOUR"-summary-hour_count_list-new.txt $TMP/"$NOW_HOUR"-summary-hour_count_list.txt \
| $AWKPATH -v OK_PER_HOUR=`echo $OK_PER_HOUR` '{ if ( $2 > OK_PER_HOUR ) {print $1}}' >> $TMP/ipfw_added.txt
 
###############################################################################
#
# Execute IPFW
#
###############################################################################
 
$DIFFPATH $TMP/min_ipfw_add_cmd_prev.txt $TMP/min_ipfw_add_cmd.txt|$GREPPATH '^>'
if [ "$?" = "0" ]; then
	$DATEPATH >> $TMP/defend-log
	$DATEPATH >> $TMP/defend-log.time
	$SHPATH $TMP/min_ipfw_add_cmd.txt >> $TMP/defend-log
	$AWKPATH '{print $7}' $TMP/min_ipfw_add_cmd.txt | $AWKPATH -v LOOKUP=`echo $LOOKUP` -F/ '{print LOOKUP" "$1}'\
	 > $TMP/defend-name-log.cmd
	$CATPATH $TMP/min_ipfw_add_cmd.txt > $TMP/min_mailbody.txt
	$SHPATH $TMP/defend-name-log.cmd >> $TMP/min_mailbody.txt
	$MAILPATH -s "SSH attack detected by minutes" $MAILTO < $TMP/min_mailbody.txt
fi
 
$DIFFPATH $TMP/hour_ipfw_add_cmd_prev.txt $TMP/hour_ipfw_add_cmd.txt|$GREPPATH '^>'
if [ "$?" = "0" ]; then
	$DATEPATH >> $TMP/defend-log
	$DATEPATH >> $TMP/defend-log.time
	$SHPATH $TMP/hour_ipfw_add_cmd.txt >> $TMP/defend-log
	$MAILPATH -s "SSH attack detected by hour" $MAILTO < $TMP/hour_ipfw_add_cmd.txt
fi
 
###############################################################################
#
#Delete previous files
#
###############################################################################
 
rm -f $TMP/"$PREV_HOUR"*
rm -f $TMP/$LOCKFILE
 
exit

_ バイク フェンダーレス

SWIFTってショップのこれね。。付けてみた。

並べると軽そうに見えるが。。

両方の差は写真の通り。

うーん、「気は心」程度かなぁ。。。。

重さは、、、ハッキリ言ってアルミだがフェンダーレスキットの方が重い。

_|‾|○ ガクガク

取り付けはボルトオンのはずなのだが、脇のステーが溶接の盛り上がりに当たって微妙にネジが入らない。

仕方がないので、キット側の角をヤスリで削った。*1

それにしても、ナンバーがかなり上向き。

いやいや、警察さんに印象悪そうだwww

見た目はまぁまぁ(*´Д`)スキーリ。

横から見ると(*´Д`)スキーリ

*1 溶接側は鉄、キットはアルミだからなぁ。。

_ 魚 お魚クーラー

水の量を見たら、やっぱり減りがちょっと早い。

冷却の風が水面に流れて蒸発させているようだ。

やはり吹きつけで放熱の暖かい風が水面に流れるよりは、吸い出しにしてやった方がマシだろう。

リテールは見ての通り、ホルダも一体なので物理的に裏返しには出来ない。

でもって、ファンの極性ひっくり返して逆転させようとしたけどダメ。

手持ちのCoolerMasterのファンに交換してひっくり返した。

ついでにヒートシンクの水面に大きく開口する側をクリアファイル切って塞いだ。

今度はバッチリだろう。。



過去の写真!
良い感じに付いた(・∀・) 削るぜ! オリジナル(すり減ってる) バンジョーはあるんだがw
アクセスカウンター!
累計:
本日:
昨日:
最近のツッコミ