-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathssh-watcher-cli-v1.1.sh
executable file
·127 lines (103 loc) · 2.98 KB
/
ssh-watcher-cli-v1.1.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/bash
# https://github.com/WestleyK/ssh-watcher
# created by Westley K
# email westley@sylabs.io
# date created: Jun 21, 2018
# date updated: Jun 25, 2018
# version-1.1
# check if the script is running
run=$( ps aux | grep ssh-watcher-cli-v1.1.sh | wc -l )
if [[ $run -ge "4" ]]; then
echo "script already running!"
echo "try: ps aux | grep ssh-watcher-cli-v1.1.sh"
exit
fi
option=$1
if [[ -n $option ]]; then
case $option in
-h | -help)
echo "usage: ./ssh-watcher-cli-v1.1.sh [-option]
-h | -help | --help (display help menu)
-c | -check (check and test mode) (comming soon!)
-k (stop and kill all running ssh-watcher-cli-vX.X.sh script) (comming soon!)
-l (clear terminal before running script)
-o (dont ALERT for logout)"
exit
;;
-c | -check)
echo "this feature is comming soon! :P"
exit
;;
-k)
echo "this feature is comming soon! :P"
exit
;;
*l*)
clear
echo "running ssh-watcher-cli-v1.1.sh"
;&
*o*)
no_logout=$"true"
;;
-R)
echo "this feature is comming soon! :P"
exit
;;
*)
echo "option not found, try: ./ssh-watcher-cli-v1.1.sh -help"
exit
;;
esac
fi
reset=0
check_login=$( cat /var/log/auth.log | grep -a New | wc -l )
check_logout=$( cat /var/log/auth.log | grep -a Removed | wc -l )
check_failed=$( cat /var/log/auth.log | grep -a authentication\ failure | wc -l )
c_login=$check_login
c_logout=$check_logout
c_failed=$check_failed
while true; do
# kinda a silly way of doing this, but it works :)
check_login=$( cat /var/log/auth.log | grep -a New | wc -l )
check_logout=$( cat /var/log/auth.log | grep -a Removed | wc -l )
check_failed=$( cat /var/log/auth.log | grep -a authentication\ failure | wc -l )
if [[ $reset == "10" ]]; then
c_login=$check_login
c_logout=$check_logout
c_failed=$check_failed
reset=0
fi
# check the log every 5 seconds
sleep 5s
let "n_login = $check_login - $c_login"
let "n_logout = $check_logout - $c_logout"
let "n_failed = $check_failed - $c_failed"
if [[ $n_login -ge "1" ]]; then
reset=1
fi
if [[ $n_logout -ge "1" ]]; then
reset=2
fi
if [[ $n_failed -ge "1" ]]; then
reset=3
fi
# you can modify this to do somthing if someone ssh your divice
if [[ $reset == "1" ]]; then
hack_ip=$( cat /var/log/auth.log | tail | grep -a 'from' | tail -1 | sed 's/.*from //' | cut -f1 -d" " )
echo "ALERT: Someone is ssh-ing your devive, you should do somthing! there ip address:$hack_ip"
# your command here
reset=10
fi
if [[ $reset == "2" && $no_logout != "true" ]]; then
hack_ip=$( cat /var/log/auth.log | tail | grep -a 'from' | tail -1 | sed 's/.*from //' | cut -f1 -d" " )
echo "ALERT: Someone just stoped ssh-ing you device, you must be safe now. there ip address:$hack_ip"
# your command here
reset=10
fi
if [[ $reset == "3" ]]; then
hack_ip=$( cat /var/log/auth.log | tail | grep -a 'from' | tail -1 | sed 's/.*from //' | cut -f1 -d" " )
echo "ALERT: Someone is trying to login to your device, there ip address:$hack_ip"
# your command here
reset=10
fi
done