We’ve noticed that most of our servers have been under heavy attack from random IP addresses to break via SSH.

With the help of the last post on how to ban an IP, and the following python script, you’ll be able to have a cronjob that runs once or twice a day and automagically bans all the offending ips from ever trying to brute force their way in ever again.

touch and make executable a file called “detect_ssh_hostiles”

touch detect_ssh_hostiles
chmod +x detect_ssh_hostiles

Then copy the following code inside:

# Usage:
# python detect_ssh_hostiles [auth.log file path]
#
# Requirement: There should be “ban_ip” and “unban_ip” command availability on the path
#
# Note: you gotta have read permissions on the auth.log file and sudo
#       permissions for the script to ban the ips.

#If an IP meets this number of failed login attemmpts it will be banned
BAN_THRESHOLD = 7
SUSPECTS = {}

#Put here IP addresses you trust, could be making genuine login errors
SAFE_IPS = ['81.73.111.49','101.73.111.160','72.31.171.235','72.36.23.234','82.36.180.210','202.132.82.16']

import os
import sys
import re

BANNED = {}
def loadBanned():
  ”’
  This function will load all the banned IPS into the BANNED Dict.
  It will also count how many times (by mistake) the same IP has
  been banned, and it will unban it, so that it will appear only once.
  ”’
  global BANNED
  command = ’sudo iptables –list –numeric’
  try:
    p = os.popen(command,’rb’)
  except Exception,e:
    print e
    sys.exit(1)

  line = ‘-’

  while line != ”:
    line = p.readline().strip()

    if line.startswith(”DROP”):
      parts = line.split()
      ip = parts[3]

      #add hit or register banned ip
      if BANNED.has_key(ip):
        BANNED[ip]+=1
      else:
        BANNED[ip]=1

  #Make sure banned IPs are banned only once
  for ip in BANNED:
    if BANNED[ip] > 1:
      print “IP %s has been banned %d times” % (ip, BANNED[ip])
      n=BANNED[ip]-1
      while n > 0:
        os.system(”unban_ip %s” % ip)
        print (”unban_ip %s” % ip)
        n=n-1

  p.close()

# —- here we go —-
loadBanned()

#read auth log
logfile = ‘/var/log/auth.log’

if len(sys.argv)==2:
  logfile = sys.argv[1]

command = ‘grep “Failed password for ” %s’ % logfile
#print command

try:
  p = os.popen(command,’rb’)
except Exception,e:
  print e
  sys.exit(1)

line = “123″

while line != ”:
  line = p.readline()

  #Sample line:
  # May 25 03:29:49 main sshd[6933]: Failed password for root from 202.118.236.132 port 54863 ssh2
  pattern = “(.*)(from\s)(\d+\.\d+\.\d+\.\d+)(.*)”
  matchObject = re.match(pattern, line)

  suspect = None
  if matchObject is not None:
    suspect = matchObject.groups()[2]

    #skip safe IPs
    if suspect in SAFE_IPS:
      continue

    if SUSPECTS.has_key(suspect):
      #add a hit
      SUSPECTS[suspect] += 1
    else:
      #add first hit
      SUSPECTS[suspect] = 1

p.close() #close the pipe

print “==”*30

import time
t = time.localtime()
#(2008, 6, 6, 9, 35, 21, 4, 158, 1)

timestr = “%d-%d-%d@%d:%d:%d” % (t[0],t[1],t[2],t[3],t[4],t[5])
print timestr
print “–”*30
if len(SUSPECTS) > 0:
  for suspect in SUSPECTS:
    if SUSPECTS[suspect] >= BAN_THRESHOLD and not BANNED.has_key(suspect):
      print “Banning %s with %d attempts” % (suspect,SUSPECTS[suspect])
      BANNED[suspect]=1
      os.system(”ban_ip %s” % suspect)
    elif BANNED.has_key(suspect):
      print “Ip %s has already been banned” % (suspect)
    else:
      print “Suspect candidate? %s with %d attempts” % (suspect,SUSPECTS[suspect])
else:
  print “Found no suspects to ban”

print “==”*30

Then add this as a cronjob of your root user, and it will automatically ban all those IPs that have tried to break in. See the script for configuration. You can always make some IPs immune to banning by adding them on the SAFE_IPS list.

Chicago, IL (PRWEB) March 27, 2008 — PyCon 2008, the annual community conference for Python developers, business leaders, and fans showcased the tremendous increase in growth among the community last week in Chicago. Attendance jumped 70 percent from 2007.

Over 1,000 people gathered at the Crowne Plaza Chicago O’Hare Hotel for PyCon 2008. The influx of proposals was so great this year that organizers could only accept half the proposals received, simply due to lack of space. Demand for tutorials, in particular, rose so high that organizers added an extra timeslot full of new sessions. Twenty-five of the 28 tutorials were sold out and there were 22 open source development sprint projects available for attendees to participate in, up from 13 in 2007. More than 270 people took part in the development sprints, which is more than attended the entire first PyCon in 2003.

The best part about PyCon is the people you get to meet
“As jam-packed as the week’s events were, a number of attendees and speakers remarked to me that they felt the conference this year was the best yet,” said PyCon 2008 chair David Goodger. “It’s great to see months of work come together and have people really enjoy it.”

PyCon 2008 is organized and run entirely by volunteers. A true grassroots movement, it is a community conference put on by the community for the community. Many attendees enjoy the numerous sessions, but more importantly, they believe the real value of the conference is the community all being there together.

“The best part about PyCon is the people you get to meet,” said Chris McAvoy, founder and president of the Chicago Python Users Group, which hosted PyCon 2008. “That, coupled with more than 1,000 attendees, compared to the 600 last year, says to me that Python is really building a market here in Chicago and elsewhere. It’s an exciting time to be a Python developer.”

PyCon 2009 will also be held in Chicago. For more information about PyCon, please visit http://us.pycon.org.

About PyCon

Presented by the Python Software Foundation, the world’s largest Python conference brings together a diverse group of developers, enthusiasts, and organizations to explore new challenges, launch new businesses and forge new connections within the Python community. PyCon provides attendees with the opportunity to delve into the dynamic programming language employed by well-known companies such as Google, Cisco, and the New York Times. PyCon helps people learn new tools and techniques, showcase projects, and meet other Python fans.

Source: PRWeb.com

This is probably everywhere, maybe python also comes with it, but I wanted to have my own implementation, and I’ll leave it here for future reference.

Basically, sometimes you don’t want to store IPs in Strings cause they take too much space, instead you want to be a good programmer and store them as 4 bytes (IPv4 that is).

So here’s a couple of functions in python to illustrate the conversion process between string to 4 byte integer, or viceversa:

def ip2num(ipString):
    if ipString is None:
        raise Exception("Invalid IP")

    try:
       octets = [octet.strip() for octet in ipString.split('.')]
    except Exception,e:
        raise e

    num = (int(octets[0])<<24) + (int(octets[1])<<16) + (int(octets[2])<<8) + int(octets[3])
    return num

def num2ip(numericIp):
    if numericIp is None or type(numericIp) != int:
        raise Exception("Invalid numeric IP. Must be an integer")
    return str(numericIp >> 24) + ‘.’ + str((numericIp >> 16) & 255) + ‘.’ + str((numericIp >> 8) & 255) + ‘.’ + str(numericIp & 255)

This is one of those things I tend to forget


>>> PyQt4.Qt.qVersion()
'4.3.3'


Here’s some code for my future reference on how to use QMutex or QMutexLocker.

Lessons Learned:
* Use QMutex to protect data, not code. Try not to lock hughe amounts of code within a function with mutex.lock(), mutex.unlock(), if for any reason you forget to release the lock you’ll be in trouble. Use the mutex directly only when you know what it is that you want to protect concurrent access from.
* When you have a complex function and you don’t want to worry about what to protect and when to release the lock (on exceptions thrown, before returns,etc), you can create an instance of QMutexLocker and it should release the mutex lock upon destruction… this takes us to the next lesson
* When using a QMutexLocker, DO NOT make the QMutexLocker an attribute of your class, otherwise, the reference will live after the method finishes and the lock won’t be released.

Here’s some code.

from PyQt4.Qt import QObject, QMutex, QApplication, QThread, QMutexLocker
import sys

class MutexTestSubject(QObject):
	'''
	Class that uses a QMutex to synchronize
        access to its add(),substract() methods.

        This works perfectly fine.
	'''
	def __init__(self):
		QObject.__init__(self)
		self.MAX_LIMIT = 100
		self.MIN_LIMIT = 0
		self.counter = 50
		self.mutex = QMutex()

	def add(self):
		self.mutex.lock()
		if self.counter < self.MAX_LIMIT:
			self.counter = self.counter + 1
		self.mutex.unlock()

	def substract(self):
		self.mutex.lock()
		if self.counter > self.MIN_LIMIT:
			self.counter = self.counter - 1
		self.mutex.unlock()

	def printStatus(self,thread):
		print “Counter:”,self.counter,” - Thread:”,id(thread)

		if self.counter > self.MAX_LIMIT+1 or self.counter < self.MIN_LIMIT:
			print "Stopping Threads, Max Surpassed, Not Thread Safe. Last Thread:",id(thread)
			sys.exit()

class MutexLockerTestSubject(QObject):
	'''
	Class that attemps to synchronize thread
 	access to its add(),substract() methods with
	the QMutexLocker object.
	'''
	def __init__(self):
		QObject.__init__(self)
		self.MAX_LIMIT = 100
		self.MIN_LIMIT = 0
		self.counter = 50
		self.mutex = QMutex()

	def add(self):
		#VIP: DO NOT MAKE mutexLocker an attribute of your class.
		#other wise it won't be destroyed and the lock will never be released.
		mutexLocker = QMutexLocker(self.mutex)
		if self.counter < self.MAX_LIMIT:
			self.counter = self.counter + 1

	def substract(self):
		mutexLocker = QMutexLocker(self.mutex)
		if self.counter > self.MIN_LIMIT:
			self.counter = self.counter - 1

	def printStatus(self,thread):
		print “Counter:”,self.counter,” - Thread:”,id(thread)

		if self.counter > self.MAX_LIMIT+1 or self.counter < self.MIN_LIMIT:
			print "Stopping Threads, Max Surpassed, Not Thread Safe. Last Thread:",id(thread)
			sys.exit()

class AdderWorker(QThread):
	def __init__(self, mutexTestObject):
		self.mutexTestObject = mutexTestObject
		QThread.__init__(self)

	def run(self):
		while(True):
			self.mutexTestObject.add()
			self.mutexTestObject.printStatus(self)

class SubstractorWorker(QThread):
	def __init__(self, mutexTestObject):
		self.mutexTestObject = mutexTestObject
		QThread.__init__(self,mutexTestObject)

	def run(self):
		while(True):
			self.mutexTestObject.substract()
			self.mutexTestObject.printStatus(self)

if __name__ == "__main__":
	USE_MUTEX_LOCKER = True #switch this to use regular mutexes vd QMutexLocker
	app = QApplication(sys.argv)
	mutexTestObject = MutexTestSubject() if not USE_MUTEX_LOCKER else MutexLockerTestSubject()

	adderThread  = AdderWorker(mutexTestObject)
	substracterThread = SubstractorWorker(mutexTestObject)

	adderThread.start()
	substracterThread.start()

	sys.exit(app.exec_())

Python binary operators are pretty much the same as in any other language, however I notice most programmers tend to waste a lot of memory by creating lots and lots of properties say in DB tables, or Objects and using the wrong datatypes. I think its elegant to use the concept of binary flags, for example, if you have an object that has around 8 or 16 boolean properties, you can store their state in 1 byte or 2 bytes (1 char or 2 char fields), and turn on/off the bits on those fields.

Usually, if you have a binary field, and you want to, turn on bits, toggle bits, and check bits, you do the following.

Suppose “config” is an 8 bit number, and you want to modify this bits individually, say config=4 (0b100) and you want to turn on the rightmost bit to have 0b101 (which is a 5) you could do the following

>>> #Uses the | operator
... def turnBitOn(config, binaryFlag):
...   return config | binaryFlag
...
>>> config = 4
>>> config = turnBitOn(config,1)
>>> print config
5

If you want to check if a Bit is turned on, just use the “&” operator, if the result is the same as the bit you’re comparing, then its turned on.

>>> def checkBit(config,binaryFlag):
...   return binaryFlag == config & binaryFlag
...
>>> print checkBit(config,1)
True
>>> print checkBit(config,2) #checks 0b010 in 0b101
False

What if you just want to toggle a bit, no matter what’s in there?
Just use binary XOR, the “^” operator.

>>> def toggleBit(config,binaryFlag):
...   return config ^ binaryFlag
...
>>> print config
5
>>> config = toggleBit(config,1)
>>> print config
4
>>> config = toggleBit(config,1)
>>> print config
5

And now, the last basic operation would be to turn off a bit. For this, you should do a NAND operation. The Binary Not in python as in most programming languages is the “~” operator. This is how you can use it to turn off bits.

You have to do it in conjunction with the & operator, sort of doing a NAND

>>> 5 & (~1)
4
>>> 5 &~ 1
4

So we could define our turnOffBit function as follows:

>>> def turnOffBit(config,binaryFlag):
...   return config & (~binaryFlag)
...
>>> print config
5
>>> config = turnOffBit(config,1)
>>> print config
4
>>> config = turnOffBit(config,1)
>>> print config
4

Hope this makes a good reference for those trying to make the most out of their bytes.