SED to add a suffix

necron · January 28, 2010, 5:51am

Hi all,

Im trying to make a proper hosts.allow with the lists of sshbl.org to block the ssh brute force attackers.

The list is a text file with an IP on every line.
What I've gotten up sofar is to prefix "sshd : " on every line, but I need a " : deny" suffix behind every line as well.
How can I do this? I've made the part that is unknown to me underlined.
Code sofar:

#!/usr/local/bin/bash
rm /tmp/base.txt
fetch -o /tmp/base.txt http://www.sshbl.org/lists/base.txt
rm /tmp/base.tmp
cat /tmp/base.txt | grep '[0-9]*[0-9]*[0-9][.][0-9]*[0-9]*[0-9][.][0-9]*[0-9]*[0-9]' | sed 's/^/sshd : /' > /tmp/base.tmp
cat /tmp/base.tmp | grep '[0-9]*[0-9]*[0-9][.][0-9]*[0-9]*[0-9][.][0-9]*[0-9]*[0-9]' | sed 's/???/ : deny /' > /tmp/base.tmp2
rm /etc/hosts.allow
cp /tmp/base.tmp2 /etc/hosts.allow
cat /root/SSHBL/hosts.allow >> /etc/hosts.allow

Thx for the help.

pludi · January 28, 2010, 5:57am

Using the first few lines as example:

$ cat base.txt
# sshbl.org
# Thu Jan 28 11:45:02 2010 CET
#
# source ip
61.155.177.2
217.120.162.182
60.191.5.181
88.77.54.74
210.21.225.204
174.34.172.133
109.123.74.86
$ awk '!/^#/{print "sshd : "$0" : deny"}' base.txt
sshd : 61.155.177.2 : deny
sshd : 217.120.162.182 : deny
sshd : 60.191.5.181 : deny
sshd : 88.77.54.74 : deny
sshd : 210.21.225.204 : deny
sshd : 174.34.172.133 : deny
sshd : 109.123.74.86 : deny

That ok?

necron · January 28, 2010, 6:10am

Exactemundo!
awk it is, thx alot (:

---------- Post updated at 12:10 PM ---------- Previous update was at 12:06 PM ----------

In case anyone cares, I added a different output, since the above command did the output to stdout instead of a file.
Here is the entire script:

#!/usr/local/bin/bash
rm /tmp/base.txt
fetch -o /tmp/base.txt http://www.sshbl.org/lists/base.txt
rm /tmp/base.tmp
awk '!/^#/{print "sshd : "$0" : deny"}' /tmp/base.txt > /tmp/base.tmp
rm /etc/hosts.allow
cp /tmp/base.tmp /etc/hosts.allow
cat /root/SSHBL/hosts.allow >> /etc/hosts.allow

pludi · January 28, 2010, 6:16am

However, you can get quite a bit of better security by blocking these IPs with a firewall (pf or iptables) and/or moving the SSH port away from the default 22.

necron · January 28, 2010, 6:51am

Hey Pludi,

Yeah I know, I always ran ssh @ 22222, but from some locations the tcp 22222 outbound was blocked, while 22 wasn't.
Im still working to migrate from the IPFW to PF as firewall, since PF can use these kind of files as input for firewall rules.
I also run sshguard-ipfw which puts an attacker in the IPFW firewall when guessing usernames.
So this hosts.allow is just an extra
Thx for the advice/thinking with me though!

frans · January 29, 2010, 2:57am

I know 2 utilities against brute-force attacks (and aother attacks)

denyhosts : acts on /etc/hosts.deny.
fail2ban : acts on iptables.
Search a bit around about those 2 and you'll find which you prefer.

necron · January 29, 2010, 4:17am

Hi Frans,

I'm using sshguard already, quite simulair to fail2ban, but it can be used for more services then only sshd.
Thx for your advice though!

---------- Post updated at 10:17 AM ---------- Previous update was at 10:17 AM ----------

btw Mod, the thread can be locked, I got my answer.

pludi · January 29, 2010, 4:32am

We're not closing down threads unless they've been silent for a certain amount of time, or the contents violate our rules. You might have you answer, but someone else might add something, that another might find useful.

necron · January 29, 2010, 7:27am

Ah ok, no problem
Didn't know that.

rdcwayx · January 29, 2010, 3:52pm

You can try sed -i to get update in the file directly.

sed  -i.bak 's/\(^[0-9].*\)/sshd : \1 : deny/'   /tmp/base.txt