add ssh identities to your ssh agent when you start your bash session

Put this somewhere on your .bash_profile

[bash]
function addSSHIdentities() {
pushd ~/.ssh
#add all your keys here
ssh-add some_private_key
ssh-add some_private_key_2
ssh-add some_private_key_3

ssh-add some_private_key_N
popd
}

function startSSHAgent() {
SSH_AGENT_PROCESSES=`ps aux | grep ssh-agent | grep -v grep | wc -l`

if [ $SSH_AGENT_PROCESSES -gt 0 ]
then
echo "SSH Agent was running. Not adding identities"
else
echo "Starting ssh-agent…"
ssh-agent
echo "Adding SSH Identities"
addSSHIdentities
fi
}

startSSHAgent
[/bash]

startKeychain – bash utility to start ssh-agent

For my (and your) future reference, here’s a function to put on your .bashrc or .bash_profile, you can invoke it later at any time to start/re-start your ssh-agent.


[bash]
function startKeychain {
killall ssh-agent
rm ~/.keychain/*
keychain id_rsa
HOSTNAME=`hostname`
source ~/.keychain/${HOSTNAME}-sh
}
[/bash]

Then at any time, the “command” startKeychain will be available on your command line.

Output should look something like this:
[bash]

gubatron@gubatron-desktop:~$ startKeychain

KeyChain 2.6.8; http://www.gentoo.org/proj/en/keychain/
Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL

* Initializing /home/gubatron/.keychain/gubatron-desktop-sh file…
* Initializing /home/gubatron/.keychain/gubatron-desktop-csh file…
* Initializing /home/gubatron/.keychain/gubatron-desktop-fish file…
* Starting ssh-agent
* Initializing /home/gubatron/.keychain/gubatron-desktop-sh-gpg file…
* Initializing /home/gubatron/.keychain/gubatron-desktop-csh-gpg file…
* Initializing /home/gubatron/.keychain/gubatron-desktop-fish-gpg file…
* Starting gpg-agent
* Adding 1 ssh key(s)…
Identity added: /home/gubatron/.ssh/id_rsa (/home/gubatron/.ssh/id_rsa)

[/bash]

Comments are welcome to improve it, I’m not an ssh-agent expert, but this seems to do the work.

[SOLVED] Issue with KDE 4.4.2 and Dolphin always asking my ssh passwords whenever I browsed folder I checked out from a remote subversion repository.

Quick N Dirty way to Map Commands to remote servers via ssh

You may be running several independent but similar servers at the same time and wasting time by executing commands in all of them one by one.

Wouldn’t it be nice to send a command to all of them at once? or to monitor all of them at once.

The following script can be used as a building block to more complex automation tasks for a small size set of servers. (If you’re managing over 50 servers, I’d probably consider looking a different way to arrange servers (map/reduce cluster), but if you’re doing something below that number this might suffice)

[code lang=”python”]
#!/usr/bin/python

#########################################################
# Author: Angel Leon (gubatron@gmail.com) – October 2009
#
# Invokes a command locally and invokes the same command
# in all machines under the specified username, servers
#
# Requirement: Have a public ssh_key for that user on all
# the other machines so you don’t have to authenticate
# on all the other machines.
#########################################################
import sys
import os

# set the username that has access to all the machines here
user=’safeuser’

# add all your server names here
servers=[‘server1.mydomain.com’,’server2.mydomain.com’,’server3.mydomain.com’]

if __name__ == "__main__":
if len(sys.argv) < 2:
print "Usage: ssh_map_command <cmd>"
sys.exit(0)

cmd= ‘ ‘.join(sys.argv[1:])

#Execute locally first
print cmd
os.system(cmd)

#Execute for all the servers in the list
for server in servers:
remote_cmd="ssh %s@%s %s" % (user,server,cmd)
print remote_cmd
os.system(remote_cmd)
print
[/code]

Save as ssh_map_command and chmod +x it.

Sample uses
Check the average load of all machines at once (then use output to mitigate high load issues)
[code lang=”shell”]$ ssh_map_command uptime[/code]

Send HUP signal to all your web servers (put it in an alias or other script… and that’s how you start building more complex scripts)
[code lang=”shell”]$ ssh_map_command ps aux | grep [l]ighttpd | kill -HUP `awk {‘print $2’}`[/code]

Check if processes are alive, check memory usage on processes across different machines, grep remote all logs at once, svn up on all machines, rsync from one to many, hey, you can even tail -f and grep all the logs at once, you can go nuts with this thing. Depends on what you need to do.

Requirements

Security Advisory
Make sure only the desired user has read/write/execute access to it and keep your private ssh keys safe (preferably only read and execute for the owner, and no permissions whatsoever to anybody else chmod 500 ssh_mod_map), if possible change them as often as possible, for it may become a big security whole if an attacker can manage to write code on this script, specially if you have cronjobs invoking it. Your attacker would only need to change code here to mess up all of your machines.

Disclaimer and Call for Knowledge
Please, if someone knows of a standard way to map commands to multiple servers, please let me know in the comment section, in my case I needed a solution and I wrote a quick and dirty python script and tried to secure it as best as I could, by no means I’m saying that this is the best solution to mapping commands, in fact I believe it might be the least efficient way, however it works good enough for my personal needs.

Script to automatically detect and ban malicious IPs that try to brute force SSH accounts

We’ve noticed that most of our servers have been under heavy attack from random IP addresses to break via SSH.

With the help of the last post on how to ban an IP, and the following python script, you’ll be able to have a cronjob that runs once or twice a day and automagically bans all the offending ips from ever trying to brute force their way in ever again.

touch and make executable a file called “detect_ssh_hostiles”

touch detect_ssh_hostiles
chmod +x detect_ssh_hostiles

Then copy the following code inside:

# Usage:
# python detect_ssh_hostiles [auth.log file path]
#
# Requirement: There should be "ban_ip" and "unban_ip" command availability on the path
#
# Note: you gotta have read permissions on the auth.log file and sudo
#       permissions for the script to ban the ips.

#If an IP meets this number of failed login attemmpts it will be banned
BAN_THRESHOLD = 7
SUSPECTS = {}

#Put here IP addresses you trust, could be making genuine login errors
SAFE_IPS = ['81.73.111.49','101.73.111.160','72.31.171.235','72.36.23.234','82.36.180.210','202.132.82.16']

import os
import sys
import re

BANNED = {}
def loadBanned():
  '''
  This function will load all the banned IPS into the BANNED Dict.
  It will also count how many times (by mistake) the same IP has
  been banned, and it will unban it, so that it will appear only once.
  '''
  global BANNED
  command = 'sudo iptables --list --numeric'
  try:
    p = os.popen(command,'rb')
  except Exception,e:
    print e
    sys.exit(1)

  line = '-'

  while line != '':
    line = p.readline().strip()

    if line.startswith("DROP"):
      parts = line.split()
      ip = parts[3]

      #add hit or register banned ip
      if BANNED.has_key(ip):
        BANNED[ip]+=1
      else:
        BANNED[ip]=1

  #Make sure banned IPs are banned only once
  for ip in BANNED:
    if BANNED[ip] > 1:
      print "IP %s has been banned %d times" % (ip, BANNED[ip])
      n=BANNED[ip]-1
      while n > 0:
        os.system("unban_ip %s" % ip)
        print ("unban_ip %s" % ip)
        n=n-1

  p.close()

# ---- here we go ----
loadBanned()

#read auth log
logfile = '/var/log/auth.log'

if len(sys.argv)==2:
  logfile = sys.argv[1]

command = 'grep "Failed password for " %s' % logfile
#print command

try:
  p = os.popen(command,'rb')
except Exception,e:
  print e
  sys.exit(1)

line = "123"

while line != '':
  line = p.readline()

  #Sample line:
  # May 25 03:29:49 main sshd[6933]: Failed password for root from 202.118.236.132 port 54863 ssh2
  pattern = "(.*)(froms)(d+.d+.d+.d+)(.*)"
  matchObject = re.match(pattern, line)

  suspect = None
  if matchObject is not None:
    suspect = matchObject.groups()[2]

    #skip safe IPs
    if suspect in SAFE_IPS:
      continue

    if SUSPECTS.has_key(suspect):
      #add a hit
      SUSPECTS[suspect] += 1
    else:
      #add first hit
      SUSPECTS[suspect] = 1

p.close() #close the pipe

print "=="*30

import time
t = time.localtime()
#(2008, 6, 6, 9, 35, 21, 4, 158, 1)

timestr = "%d-%d-%d@%d:%d:%d" % (t[0],t[1],t[2],t[3],t[4],t[5])
print timestr
print "--"*30
if len(SUSPECTS) > 0:
  for suspect in SUSPECTS:
    if SUSPECTS[suspect] >= BAN_THRESHOLD and not BANNED.has_key(suspect):
      print "Banning %s with %d attempts" % (suspect,SUSPECTS[suspect])
      BANNED[suspect]=1
      os.system("ban_ip %s" % suspect)
    elif BANNED.has_key(suspect):
      print "Ip %s has already been banned" % (suspect)
    else:
      print "Suspect candidate? %s with %d attempts" % (suspect,SUSPECTS[suspect])
else:
  print "Found no suspects to ban"

print "=="*30

Then add this as a cronjob of your root user, and it will automatically ban all those IPs that have tried to break in. See the script for configuration. You can always make some IPs immune to banning by adding them on the SAFE_IPS list.