more fail2ban tests for ctsc demo

221f350d · Alexander Withers · ae72f44d · 221f350d · 221f350d · 221f350d
Commit 221f350d authored Oct 04, 2017 by Alexander Withers
--- a/fail2ban/README.md
+++ b/fail2ban/README.md
+Experimental fail2ban work for ssh intel.
--- a/fail2ban/jail.local
+++ b/fail2ban/jail.local
+
+[sshsub]
+enabled = true
+port    = ssh
+logpath = /tmp/ssh.txt
+banaction = ufw
+
--- a/fail2ban/sshsub.conf
+++ b/fail2ban/sshsub.conf
+# Fail2Ban filter for subssh.py
+
+[Definition]
+
+failregex = \S+: request with password <HOST> -> \S+ \S+ using \S+\s*$
+
+ignoreregex = 
+
--- a/sshsub.py
+++ b/sshsub.py
@@ -5,10 +5,12 @@ import zmq
 import time
 import json
 import signal
+from datetime import datetime
+

 host='localhost'

-file = open("ssh.txt","w+")
+file = open("/tmp/ssh.txt","a+")

 def handle_intr(signal, frame):
    print('Ctrl+C caught, exiting...')
@@ -44,7 +46,9 @@ def show_ssh(topic, who, messagedata):
        if 'password' in rec['additional_data']:
            out += " {duser}:{password} using {client_version}".format(**rec['additional_data'])
    print(prefix, out)
-    file.write(prefix+" "+out+"\n")
+    # this is confusing: time that event was logged, not when it occured
+    logtime = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
+    file.write(logtime+" "+prefix+" "+out+"\n")

 def main():
    topics = sys.argv[1:]