ls -l /var/log/vsftpd -> connection attempts to the system
touch parseservicelogs.sh -> parse service logs for unwelcomed connections
pico parseservicelogs.sh
#!/bin/bash
LOGFILE="/var/log/vsftpd.log"
BADNAME="anonymous"
THRESHOLD=5
grep $BADNAME $LOGFILE
#END
. parseservicelogs.sh -> all the lines containing 'anonymous' connections
. parseservicelogs.sh | wc -l -> returns the numbers of connections
The 8 and 10 columns return the info that interest us
#!/bin/bash
LOGFILE="/var/log/vsftpd.log"
BADNAME="anonymous"
THRESHOLD=5
grep $BADNAME $LOGFILE | awk '{ print $8,$12 }'#awk superios parser,
#END
. parseservicelogs.sh -> Prints [anonymous] "192.128.167.12". Very usefull for system administrators
awk '/anonymous/ { print $8,$12 }' /var/logs/vsftpd/vsftpd.log -> Prints all the lines containing [anonymous] and the "192.128.167.12" address
#!/bin/bash
LOGFILE="/var/log/vsftpd.log"
BADNAME="anonymous"
THRESHOLD=5
OFFENSES=`awk '/$BADNAME/ { print $8,$12 }' /var/logs/vsftpd/vsftpd.log | wc -l`
grep $BADNAME $LOGFILE | awk '{ print $8,$12 }'#awk superios parser
echo $OFFENSES
#END
. parseservicelogs.sh -> Prints [anonymous] "192.128.167.12". In the end we can see teh numbers of lines containing anonymous word
#!/bin/bash
LOGFILE="/var/log/vsftpd.log"
BADNAME="anonymous"
THRESHOLD=5
OFFENSES=`awk '/$BADNAME/ { print $8,$12 }' /var/logs/vsftpd/vsftpd.log | wc -l`
grep $BADNAME $LOGFILE | awk '{ print $8,$12 }'#awk superios parser
if [ $OFFENSES -gt $THRESHOLD]
then
echo $OFFENSES atempted reaches were detected | mail -s "Breach Atempt" root
fi
#END
. parseservicelogs.sh -> send email to the administrator. Check the email with 'mutt' for root
#!/bin/bash
LOGFILE="/var/log/vsftpd.log"
BADNAME="anonymous"
if [ $# != 1 ] # positional parameter
then
echo At elast 1 parameter required for THRESOLD value
exit 165
fi
THRESHOLD=$1
OFFENSES=`awk '/$BADNAME/ { print $8,$12 }' /var/logs/vsftpd/vsftpd.log | wc -l`
grep $BADNAME $LOGFILE | awk '{ print $8,$12 }'#awk superios parser
if [ $OFFENSES -gt $THRESHOLD]
then
echo $OFFENSES atempted reaches were detected | mail -s "Breach Atempt" root
fi
#END
chamod u+x ./parseservicelogs.sh
./parseservicelogs.sh -> Returns 'At elast 1 parameter required for THRESOLD value'
./parseservicelogs.sh 10 -> ROOT receives an email that can be cheked with mutt
No comments:
Post a Comment