Date: Sun, 11 Feb 2007 14:00:26 GMT From: Tim<cyberlord@cyber-wizard.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/109047: cut utility reads off by one place when day (date) is a double digit Message-ID: <200702111400.l1BE0Q3F007822@www.freebsd.org> Resent-Message-ID: <200702111410.l1BEA6ed009411@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 109047 >Category: misc >Synopsis: cut utility reads off by one place when day (date) is a double digit >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 11 14:10:05 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Tim >Release: FreeBSD 5.4-RELEASE >Organization: n/a >Environment: FreeBSD hercmud.net 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun Sep 18 21:04:28 UTC 2005 >Description: When the day (date) reaches double digits the cut utility/program somehow reads the field as off by one. I'm not sure if this is a problem with the auth.log or with cut itself but my bet is on cut. I have a script that reads auth.log and filters out bad login attempts and writes to hosts.allow. When the date reaches double digits I have to adjust my script accordingly. Here is the offending line in my script. for IP in `grep sshd /var/log/auth.log|grep "illegal user"|cut -d " " -f14` 0.0.0.0; do I have to change the -f14 to -f13 during double digit days and then again when the month rolls over set it back to -f14. Not only is having to edit the script twice a month annoying, it shortens the length of time one can deny a host that attempts login during the single digit days. Once I adjust the offending line to compensate for the double digit day it incorectly reads the single digit day lines. >How-To-Repeat: >Fix: Run the following script on single and double days: #!/usr/local/bin/bash LAST_IP=0.0.0.0 COUNT=1 # Set MAXCOUNT to the maximum failures allowed before blacklisting # Remember though, the script gets run once per minute from cron, so # tecnically the hacker has about 1 minute at maximum to attempt login # and that really is the limiting factor in limiting the length of the attack MAXCOUNT=5 for IP in `grep sshd /var/log/auth.log|grep "illegal user"|cut -d " " -f14` 0.0.0.0; do if [ ${LAST_IP} == ${IP} ]; then let COUNT=${COUNT}+1 else if [ ${COUNT} -ge ${MAXCOUNT} ]; then # echo "sshd: ${LAST_IP} : deny" # Now echo some output for crontab to email to you once in a while - comment it out if you don't care echo ${COUNT} attempts from ${LAST_IP} fi LAST_IP=${IP} COUNT=1 fi done >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702111400.l1BE0Q3F007822>