Date: Sun, 11 Feb 2007 14:00:26 GMT From: Tim<cyberlord@cyber-wizard.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/109047: cut utility reads off by one place when day (date) is a double digit Message-ID: <200702111400.l1BE0Q3F007822@www.freebsd.org> Resent-Message-ID: <200702111410.l1BEA6ed009411@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 109047
>Category: misc
>Synopsis: cut utility reads off by one place when day (date) is a double digit
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Feb 11 14:10:05 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Tim
>Release: FreeBSD 5.4-RELEASE
>Organization:
n/a
>Environment:
FreeBSD hercmud.net 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun Sep 18 21:04:28 UTC 2005
>Description:
When the day (date) reaches double digits the cut utility/program somehow reads the field as off by one. I'm not sure if this is a problem with the auth.log or with cut itself but my bet is on cut.
I have a script that reads auth.log and filters out bad login attempts and writes to hosts.allow. When the date reaches double digits I have to adjust my script accordingly.
Here is the offending line in my script.
for IP in `grep sshd /var/log/auth.log|grep "illegal user"|cut -d " " -f14` 0.0.0.0; do
I have to change the -f14 to -f13 during double digit days and then again when the month rolls over set it back to -f14.
Not only is having to edit the script twice a month annoying, it shortens the length of time one can deny a host that attempts login during the single digit days. Once I adjust the offending line to compensate for the double digit day it incorectly reads the single digit day lines.
>How-To-Repeat:
>Fix:
Run the following script on single and double days:
#!/usr/local/bin/bash
LAST_IP=0.0.0.0
COUNT=1
# Set MAXCOUNT to the maximum failures allowed before blacklisting
# Remember though, the script gets run once per minute from cron, so
# tecnically the hacker has about 1 minute at maximum to attempt login
# and that really is the limiting factor in limiting the length of the attack
MAXCOUNT=5
for IP in `grep sshd /var/log/auth.log|grep "illegal user"|cut -d " " -f14` 0.0.0.0; do
if [ ${LAST_IP} == ${IP} ]; then
let COUNT=${COUNT}+1
else
if [ ${COUNT} -ge ${MAXCOUNT} ]; then
# echo "sshd: ${LAST_IP} : deny"
# Now echo some output for crontab to email to you once in a while - comment it out if you don't care
echo ${COUNT} attempts from ${LAST_IP}
fi
LAST_IP=${IP}
COUNT=1
fi
done
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702111400.l1BE0Q3F007822>