Debian SSH failed attempts

README

ssh-fails.sh
------------

Greps the journal from the SSH service to report failed attempts to access SSH. This information can be used to apply filtering policies. Examples follow.

root@war:~# ./ssh-fails.sh 2d top 10
  17534 42.7.26.60
   2933 123.183.209.135
   2436 116.31.116.11
    167 211.140.199.244
    138 5.101.40.10
    109 117.34.117.168
     69 91.197.232.103
     44 92.87.236.69
     35 181.21.135.244
     29 103.207.39.247


root@war:~# ./ssh-fails.sh 2w top 3
  28658 42.7.26.60
   6034 123.183.209.135
   5393 58.242.83.21


root@war:~# ./ssh-fails.sh summary
SSH Failure Summary for last 2d
Generated 2017-08-07T21:08-0400

 count       ip-address ZEN XBL
------ ---------------- --- ---
 17491       42.7.26.60   y   n
  2938  123.183.209.135   y   n
  2436    116.31.116.11   y   n
   167  211.140.199.244   y   y
   138      5.101.40.10   y   y
   109   117.34.117.168   n   n
    69   91.197.232.103   y   y
    44     92.87.236.69   y   y
    35   181.21.135.244   y   y
    29   103.207.39.247   n   n
    23    181.23.23.131   y   y
    20   116.236.128.62   y   y
     7     97.79.211.38   y   y
     7   95.211.198.253   n   n
     7   93.118.171.149   y   y
     7   91.204.179.166   y   y
     7     83.144.70.10   y   y
     7      76.1.241.35   y   y
     7    64.66.226.161   y   y
     7   45.119.155.117   y   y
     

root@war:~# ./ssh-fails.sh summary 7d top 4
SSH Failure Summary for last 7d
Generated 2017-08-07T21:10-0400

 count       ip-address ZEN XBL
------ ---------------- --- ---
 28658       42.7.26.60   y   n
  6037  123.183.209.135   y   n
  5393     58.242.83.21   y   n
  5316    116.31.116.11   y   n

ssh-fails.sh

#!/usr/bin/env bash

# Copyright (c) 2017 Maxwell Bloch, All rights reserved.
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

# Use of DNS blacklist queries is subject to applicable terms of use.

SINCE="${1:-2d}"
if [ "$SINCE" = "summary" ]; then
  SINCE="2d"
fi

fails() {
  journalctl -u ssh.service --since="-${SINCE}" \
    | grep -i fail \
    | egrep 'from ([^ ]+)' \
    | grep -v "Read from socket failed" \
    | sed -r -e 's!(.{15}).*: (Disconnecting: )?(.*) for (invalid user )?([^ ]*) from ([^ ]+).*!\6,\1,\4\5,\3!' \
             -e 's!(.{15}).*: (.*) from ([^:]+).*: (.*)!\3,\1,,\4!' \
    | sort -t , -k 1V
}

topfails() {
  TOP="${1:-20}"
  fails | cut -d, -f1 | uniq -c | sort -rg | head -n $TOP
}

checklist() {
  ip=$1
  list=${2:-zen}
  rev=`echo $ip | awk 'BEGIN { FS="." ; OFS="." } { print $4,$3,$2,$1 }'`
  nslookup ${rev}.${list}.spamhaus.org >/dev/null && echo y || echo n
}

if [ "$1" = "summary" ]; then
  SINCE=${2:-$SINCE}
  if [ "$3" = "top" ]; then
    TOP="${4:-20}"
  fi

  echo "SSH Failure Summary for last $SINCE"
  echo "Generated `date -Im`"
  echo ""
  echo     " count       ip-address ZEN XBL"
  echo     "------ ---------------- --- ---"

  topfails $TOP | while read c i; do
    zen=`checklist $i zen`
    xbl=`checklist $i xbl`
    printf "%   6d %            16s %3s %3s\n" \
      $c $i $zen $xbl
  done
  echo ""
elif [ "$2" = "top" ]; then
  topfails $3
else
  fails
fi