FINAL ROOT -LOGIN FAILURE -SUCCESSFUL ONE - SPIDERMAN

#!/bin/bash

# Server Tested : compute90-cc : 8.25.218.59 10.170.16.186 : compute90-cc.packet8-pilot.net :ssobeta04-cc : capture_root_logging_failures.sh


#####   --  Author of Script  - Sreejith Balakrishnan   

#####       Purpose : 1. This script capture failed logins for root users whoever fails to connect successfully in their first 5 attempts 

#####                 2. And only if those 5 failed attempts happens within 15 min timeline -- In such cases logs are generated


#set -x


###-----------------

##### Declarations :

###-----------------


#####   --  Put in the number of Failed Login Attempts you want to capture


attempted_counts=5


#####   --  Time in seconds within which the count of login attempts(attempted_counts) to be captured


seconds=900


###------------------------

##### End of Declations :

###------------------------




root_login(){


#rm -Rf /tmp/logins_1.log

#rm -Rf /tmp/logins_2.log

#rm -Rf /tmp/logins_11.log

#rm -Rf /tmp/logins_111.log

#rm -Rf /tmp/logins_12.log

#rm -Rf /tmp/logins_122.log


rm -Rf /tmp/LOGIN_FAILED_DETAILS1.log

rm -Rf /tmp/LOGIN_FAILED_DETAILS2.log

rm -Rf /tmp/LOGIN_FAILED_ROOT.log

rm -Rf /tmp/LOGIN_FAILED_DETAILS.log

rm -Rf /var/log/LOGIN_FAILED_ROOT.log

rm -Rf /var/log/total_login_attempts_root.log


today=`date`

echo " "

echo "--------------------------------------------------------------------------------------"

echo "System Date and Time : $today "

echo "--------------------------------------------------------------------------------------"

echo " "


date | awk '{print $2}' > /tmp/logins_1.log

value1=`cat /tmp/logins_1.log`

date | awk '{print $3}' > /tmp/logins_2.log

value2=`cat /tmp/logins_2.log`


lastb -F | awk '{print $11}' >> /tmp/logins_11.log

head -n 1 /tmp/logins_11.log > /tmp/logins_111.log

value11=`cat /tmp/logins_111.log`

lastb -F | awk '{print $12}' >> /tmp/logins_12.log

head -n 1 /tmp/logins_12.log > /tmp/logins_122.log

value12=`cat /tmp/logins_122.log`


if [ "${value2}" == "${value12}" ]

then

   if [ "${value1}" == "${value11}" ]

   then

     ####--Failed Login Attempts by users  ------------------------------------------------------

     lastb -F >> /tmp/LOGIN_FAILED_DETAILS.log


     ####Today's Date is extracted  -------------------------------------------------------------

     cat /tmp/LOGIN_FAILED_DETAILS.log | grep -wi ${value12} >> /tmp/LOGIN_FAILED_DETAILS1.log

     cat /tmp/LOGIN_FAILED_DETAILS1.log | grep -wi "$value11" >> /tmp/LOGIN_FAILED_DETAILS2.log


     ####--filtering root user  -----------------------------------------------------------------

     sed -n '/root/p' /tmp/LOGIN_FAILED_DETAILS2.log >> /tmp/LOGIN_FAILED_ROOT.log


     if [ -s /tmp/LOGIN_FAILED_ROOT.log ]

     then

       cp /tmp/LOGIN_FAILED_ROOT.log /var/log/LOGIN_FAILED_ROOT.log

       cat /var/log/LOGIN_FAILED_ROOT.log

       cat /var/log/LOGIN_FAILED_ROOT.log | wc -l > /var/log/total_login_attempts_root.log

       attempts=`cat /var/log/total_login_attempts_root.log`

       echo " "

       echo " "

       echo "--------------------------------------------------------------------------------------"

       echo "Total Number of Failed login attempts by Root User : $attempts"

       echo "--------------------------------------------------------------------------------------"

      echo " "

     fi

   fi

else 

    echo " "

    echo "-------------------------------------------------------------------------------"

    echo "No Failed login found for root user today : `date`"

    echo "-------------------------------------------------------------------------------"

    echo " "

fi

}




####

#### -- Converting Time to Seconds for calculation & if attempts were with in 15 minutes

####



convert_time_seconds() {



#!/bin/bash


rm -Rf /tmp/logins1_1.log

rm -Rf /tmp/logins1_2.log

rm -Rf /tmp/logins1_11.log

rm -Rf /tmp/logins1_111.log

rm -Rf /tmp/logins1_12.log

rm -Rf /tmp/logins1_122.log

rm -Rf /tmp/failed_logins1_1.log

rm -Rf /tmp/failed_logins_today1_1.log

rm -Rf /tmp/failed_logins_today1_2.log

rm -Rf /tmp/failed_logins_today1_3.log

rm -Rf /tmp/time_first_line1_1.log

rm -Rf /tmp/time_first_line1_2.log

rm -Rf /tmp/time_last_line1_2.log

rm -Rf /tmp/time_second_line1_3.log

rm -Rf /tmp/failed_logins_today1_4.log

rm -Rf /tmp/failed_logins_today1_5.log

rm -Rf /tmp/failed_logins_today1_4.log

rm -Rf /tmp/failed_logins_today1_5.log

rm -Rf /tmp/failed_logins_today1_6.log

rm -Rf /tmp/failed_logins_today1_7.log



date | awk '{print $2}' > /tmp/logins1_1.log

value1=`cat /tmp/logins1_1.log`

date | awk '{print $3}' > /tmp/logins1_2.log

value2=`cat /tmp/logins1_2.log`


lastb -F | awk '{print $11}' >> /tmp/logins1_11.log

head -n 1 /tmp/logins1_11.log > /tmp/logins1_111.log

value11=`cat /tmp/logins1_111.log`

lastb -F | awk '{print $12}' >> /tmp/logins1_12.log

head -n 1 /tmp/logins1_12.log > /tmp/logins1_122.log

value12=`cat /tmp/logins1_122.log`



####--Failed Login Attempts by users  ------------------------------------------------------

lastb -F > /tmp/failed_logins1_1.log

  

####Today's Date is extracted  -------------------------------------------------------------

cat /tmp/failed_logins1.log | grep -wi ${value12} >> /tmp/failed_logins_today1_1.log

cat /tmp/failed_logins_today_1.log | grep -wi "$value11" >> /tmp/failed_logins_today1_2.log

  

####--filtering root user  -----------------------------------------------------------------

awk '/root/{print}' /tmp/failed_logins_today1_2.log > /tmp/failed_logins_today1_3.log

#awk -n '/root/p' /tmp/failed_logins_today1_2.log > /tmp/failed_logins_today1_3.log

  

if [ "${value2}" == "${value12}" ]

then

    if [ "${value1}" == "${value11}" ]

    then

        cat /tmp/failed_logins_today1_3.log | awk '{print $7}' > /tmp/failed_logins_today1_4.log

        head -n 1 /tmp/failed_logins_today1_4.log > /tmp/failed_logins_today1_5.log



        cat /tmp/failed_logins_today1_3.log | sed -n '5p' | awk '{print $7}' > /tmp/failed_logins_today1_7.log

if [ -s "/tmp/failed_logins_today1_5.log" ] && [ -s "/tmp/failed_logins_today1_7.log" ] 

    then  

TIME1=`cat /tmp/failed_logins_today1_5.log`

TIME2=`cat /tmp/failed_logins_today1_7.log`

 

    # Convert the times to seconds from the Epoch

            SEC1=`date +%s -d ${TIME1}`

            SEC2=`date +%s -d ${TIME2}`

 

    # Use expr to do the math, let's say TIME1 was the start and TIME2 was the finish

            DIFFSEC=`expr ${SEC1} - ${SEC2}`

 

    echo "--------------------------------------------------------------------------------------"

            echo ""

            echo "        ###             *** THIS LOG IS CAPTURED ***                    ###           "

            echo "        ###     When a *root* user makes 5 failed login attempts        ###           "

            echo "        ###        within 15 minutes (900 Seconds) window               ###           "

            echo ""

            echo "--------------------------------------------------------------------------------------"

                

    echo "--------------------------------------------------------------------------------------"

            echo " ** Found 5 or more 'Failed Login attempts by user *root*' in : ${DIFFSEC} seconds ** "

            echo "--------------------------------------------------------------------------------------"

 

    how_many_sec=`echo ${DIFFSEC}`

if [ $how_many_sec -le $seconds ]

            then 

                root_login

            else 

                echo " "

                echo "----------------------------------------------------------------------------------- "

                echo "    *** The 5 failed attempts by the root users were not with in 15 Minutes ***     "

                echo "----------------------------------------------------------------------------------- "

                echo " "

fi

else 

    echo " "

            echo "------------------------------------------------------------------------------------------"

            echo "  *** No Logs to capture as Counts of Logins or Condition of 15 Minutes don't Match ***   "

            echo "------------------------------------------------------------------------------------------"

            echo " "

fi

fi

fi

}



####

#### -- Check the condition of no. of failed login attempts are 5 or more

####



check_condition() {


rm -Rf /tmp/logins_1.log

rm -Rf /tmp/logins_2.log

rm -Rf /tmp/logins_11.log

rm -Rf /tmp/logins_111.log

rm -Rf /tmp/logins_12.log

rm -Rf /tmp/logins_122.log

rm -Rf /tmp/failed_logins_today_1.log

rm -Rf /tmp/failed_logins_today_2.log

rm -Rf /tmp/failed_logins1.log

rm -Rf /tmp/failed_logins2.log


date | awk '{print $2}' > /tmp/logins_1.log

value1=`cat /tmp/logins_1.log`

date | awk '{print $3}' > /tmp/logins_2.log

value2=`cat /tmp/logins_2.log`


lastb -F | awk '{print $11}' >> /tmp/logins_11.log

head -n 1 /tmp/logins_11.log > /tmp/logins_111.log

value11=`cat /tmp/logins_111.log`

lastb -F | awk '{print $12}' >> /tmp/logins_12.log

head -n 1 /tmp/logins_12.log > /tmp/logins_122.log

value12=`cat /tmp/logins_122.log`


  ####--Failed Login Attempts by users  ------------------------------------------------------

  lastb -F > /tmp/failed_logins1.log

  

  ####Today's Date is extracted  -------------------------------------------------------------

  cat /tmp/failed_logins1.log | grep -wi ${value12} >> /tmp/failed_logins_today_1.log

  cat /tmp/failed_logins_today_1.log | grep -wi "$value11" >> /tmp/failed_logins_today_2.log

  

  ####--filtering root user  -----------------------------------------------------------------

  awk '/root/{print}' /tmp/failed_logins1.log >> /tmp/failed_logins2.log

  

  lines_in_file=`wc -l < /tmp/failed_logins_today_2.log`

  count_of_attempts=$lines_in_file


  if [ $count_of_attempts -ge $attempted_counts ] 

  then

    if [ "${value2}" == ${value12} ] && [ "${value1}" == "${value11}" ]

then

      convert_time_seconds

else 

      echo "----------------------------------------------------------------------------------- "

      echo " No Failed Logins found *Today* according to the condition  "

      echo "----------------------------------------------------------------------------------- "

fi

  else 

    echo "-------------------------------------------------------------------------------------- "

    echo "         No Failed Login attempts found *Today* according to the condition             "

echo "       There must be 5 Failed Login Attempts by user *root* within 15 minutes          "

echo "                      window to capture the information                                "

    echo "-------------------------------------------------------------------------------------- "

  fi

}


check_condition

Comments

Post a Comment

Popular posts from this blog

OPA : Introduction to OPA

Image
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  OPA :  https://www.youtube.com/watch?v=Vdy26oA3py8    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  How OPA works ?  Alice is the customer support rep and she has access to all the service such as (payments / Accounts / Promotions / Notification ) etc . And if she get access to all the system that is not all right . If she decides to bring down all the services she can do which can lead to failure of service. Also if she wants to look up where Bob lives she can do that and find out all his personally identifiable information again this is not Ideal. So what we want to do is put some guard rails into the system to prevent these kinds of things from happening .  In order to get alice do all her job and yet does not hamper the security of the system we are going to put but she cannot do anything that is harmful to the system . In order to do th...
Read more

IP Cutover

Image
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IP Cutover is needed when the Base machine is CentOS-6 and the VM is CentOS-7 Lets consider this server running in CentOS 6 ,and now the application team is asking to cut-over , they will come to us for the cut over when we have the new and the old server ready . netutils02-eq This IP is reachable from our work station. We will need to disable the IP address in this server and enable the IP address in another server new server . We need to shutdown the interface first . $ /sbin/ifdown ens192 Before that we need to go to checkMK and make sure this server is configured for downtime . The two servers will have different IP addresses though they might be running in the same network. once the interface is down we will not be able to ping this IP address from our workstation.  Once after checking the checkMK if the server CentOS is ...
Read more

FIRST-SUCCESSFUL SCRIPT -- NEEDED EDITION -- FIRST SUCCESSFUL ONE

#!/bin/bash # Server Tested : compute90-cc : 8.25.218.59 10.170.16.186 : compute90-cc.packet8-pilot.net #####   --  Author of Script  - Sreejith Balakrishnan    #####       Purpose : 1. This script capture failed logins for root users whoever fails to connect successfully in their first 5 attempts  #####                 2. And only if those 5 failed attempts happens within 15 min timeline -- In such cases logs are generated #set -x ###----------------- ##### Declarations : ###----------------- #####   --  Put in the number of Failed Login Attempts you want to capture attempted_counts=5 #####   --  Time in minutes within which the count of login attempts to be captured seconds=900 ###------------------------ ##### End of Declations : ###------------------------ root_login(){ #rm -Rf /tmp/logins_1.log #rm -Rf /tmp/logins_2.log #rm -Rf /tmp/logins_11.log #rm -Rf...
Read more