OS X Snitch Script

I have SSH enabled on one of my OS X servers and have always been mindful of the logs. Monitoring attempts to brute force crack way into my machine. I have been careful and hopefuly have a fairly strong setup that should not be trivial to crack.

To help me watch the logs I created this very simple script that I run to notify me of any break-in attempts:

I call the script “Snitch”

#!/bin/bash
cat /private/var/log/system.log | grep 'Illegal' | awk '{print $12}' | sort | uniq -c
cat /private/var/log/system.log | grep 'Failed password' | awk '{print $13}' | sort | uniq -c | sort -nr

The script looks through the system log and finds and illegal or failed login attempts and counts the number of times that IP have attempted to gain enrty (since the log last rolled over). The output of the above script looks like this:
10 202.104.xxx.xxx
12 200.129.xxx.xxx
6  200.124.xxx.xxx

*note: I have not displayed the last two octets of the IP for privacy reasons.

Anywhoo, this page is more for me in case I ever need to refrence back to the code. However, if you stumbled onto it and found it helpful, great. 🙂

M0n0ban

This is a quick script I stuck together to help me quickly ban IP addresses using my M0n0wall. I run this script from my Mac, however I needed to install wget in order to get it to work. I used info and code from this page to put this together: http://wiki.m0n0.ch/wikka.php?wakka=PoorMansTimeBasedRules

To run the script: /usr/bin/m0n0ban.command 200.xxx.xxx.xxx

#!/bin/bash#/usr/bin/m0n0ban.command
badIP=$1
echo "~*~*~*~*~*"
echo " Are you sure you want to ban "$badIP"?";
echo " Press enter to continue os CTRL+C to quit";
echo "~*~*~*~*~*"
read
Echo "Banning "$badIP
wget -qO /dev/null http://10.0.0.1/exec_raw.php?cmd="ipfw add 5 deny all from $badIP to any"
echo "Complete..."
echo "Current ruleset:"
wget -nv -O ~/banned.txt http://10.0.0.1/exec_raw.php?cmd="ipfw show 5" -q
cat ~/banned.txt

The command line interaction looks like this:
pine$ ./m0n0ban.command 201.216.x.205
~*~*~*~*~*
 Are you sure you want to ban 201.216.xx.205?
 Press enter to continue os CTRL+C to quit
~*~*~*~*~*

Banning 201.216.xx.205
Complete...

Current ruleset:
00005       0         0 deny ip from 200.129.xx.107 to any
00005       0         0 deny ip from 218.108.xx.121 to any
00005       0         0 deny ip from 201.216.xx.205 to any