Scripts to find and verify SSH logins to other machines by hacking back via Kippo

Standard

First we log all the connection attempts to my server(Live or new Virtual Machine) using the package called Kippo – http://code.google.com/p/kippo/.


Then we create this file I called grab_ssh_info.sh(Click for latest).

# Only read todays and loop each line in the string
grep -i $todays_date /home/ris/kippo-0.5/log/kippo.log | while read -r line; do

# Only read the lines that contain login auths and IPs. All in one line in this case.
if [[

]]; then
# Cut out the different parts.
inIP=

inUSER=

inPASS=

# Throw it all in together for outputing to a log of my own.
output=”$inIP|$inUSER|$inPASS”
#echo $output

# IF we do not already have it in the log, append the info to it.
if [ ! -e /root/scripts/kippo_ssh_auths.log ]; then
touch /root/scripts/kippo_ssh_auths.log
fi

grep -q “$output” /root/scripts/kippo_ssh_auths.log
if [ $? == 1 ]; then
echo “$inIP|$inUSER|$inPASS” >> /root/scripts/kippo_ssh_auths.log
fi
fi
done
[/crayon]


Then we can use the copy of /root/kippo_ssh_auths.log log to try and connect BACK to the door knockers machine and see if the login works.
If it does, add it to a success log(if new) and go on to the next one.
If it fails, ignore it. It will be deleted when we delete the copy of the log file at the end of the script.
I call this file test_ssh_info.sh


Small script(start_kippo.sh) for cron to make sure your Kippo is still running.
I noticed that the small VPS I was running would kill Kippo once awhile because I ran out of memory(32MB) and swap(32MB). So I tested every minute to see if needed starting again.


Set your log rotation to cycle the Kippo log every 24 hours or my scripts will be re testing a lot of ssh connections.
Set your cron to run them whenever. I recommend just before the logrotate cycle. Just make sure it is sequenced right. Do the grab script first.

1,166 total views, 2 views today

Kippo scripts

Standard

This is to gather the IP addresses and the USERNAME and PASSWORDS that were used in the attempts to login to my machines.

# Only read todays and loop each line in the string
grep -i $todays_date /home/kris/kippo-0.5/log/kippo.log | while read -r line; do

# Only read the lines that contain login auths and IPs. All in one line in this case.
if [[

]]; then
# Cut out the different parts.
inIP=

inUSER=

inPASS=

# Throw it all in together for outputing to a log of my own.
output=”$inIP|$inUSER|$inPASS”
echo $output

# IF we do not already have it in the log, append the info to it.
if [ !

]; then
echo “$inIP|$inUSER|$inPASS” >> /root/kippo_ssh_auths.log
fi
fi
done
[/crayon]


592 total views, 2 views today