Examples

Scenario:

Generate a list of crackers’ ip address by “lastb” command. This list could be used for generating configuation file for “iptable-restore” command to block those ip addresses.

Answer:

file: blackip.spy

# generate black list of cracker's ip from "lastb"
"""
output sample of "lastb"
blogdosa ssh:notty    178.128.125.70   Tue Aug  2 09:09 - 09:09  (00:00)
"""

def handleLastbData(stdout):
    # dealing with the output of "lastb"
    cracker = {}
    for line in stdout.split('\n'):
        if not line: continue
        cols = line.split()
        if not len(cols) > 2: continue
        username = cols[0]
        ip = cols[2]
        try:
            cracker[ip].add(username)
        except KeyError:
            cracker[ip] = set([username])

    # do statistics 
    rows = []
    keys = list(cracker.keys())
    keys.sort()
    for ip in keys:
        # add the ip into list if it tried over 5 names
        if len(cracker[ip]) > 5:
            rows.append((ip,len(cracker[ip])))

    # for pretty print
    import tabulate
    print(tabulate.tabulate(rows,headers=('IP','#count')))

    # you can then generate lines like "-A INPUT -s 208.78.41.201/32 -j DROP" 
    # for "iptables-restore" command by the resulting data.
#
# there are 3 methods to run on  localhost
#
if 1:
    # this script is run by root
    $lastb -10000
    handleLastbData($.stdout)
    
elif 0:
    # this script is run by regular user, use sudo to run
    $$echo 123456 | sudo -S lastb -10000
    handleLastbData($.stdout)
    
elif 0:
    # this script is run by regular user, su as root to run
    with $sudo -S su as console:
        console.expect('password')
        console.sendline('123456')
        console.sendline('lastb -10000')
        handleLastbData(console.stdout)
        
#
# there are also 3 methods to run on remote host
#
if 1:
    # login as root
    $.connect('root@host',password='123456')
    $lastb -10000
    handleLastbData($.stdout)
    $.close()

elif 0:
    # login as regular user, then use sudo to run
    $.connect('user@host',password='123456')
    $$echo 123456 | sudo -S lastb -10000
    handleLastbData($.stdout)
    $.close()

elif 0:
    # login as regular user, then su as root to run
    $.connect('user@host',password='123456')
    with $sudo -S su as console:
        console.expect('password')
        console.sendline('123456')
        console.sendline('lastb -10000')
        handleLastbData(console.stdout)
    $.close()

Examples of execution command

$sshscript blackip.spy
$sshscript blackip.spy --verbose --debug
$sudo sshscript blackip.spy
$sudo sshscript blackip.spy --verbose --debug

image