Bad Actors

Figure 1: #bad_actors Slack channel is also streamed live at https://mellican.com/badactors/

How to log these “bad actors”

Figure 2 below shows how TCP wrappers and a bash (or python) script to filter connections based on the Geographic location can be used to log these events and ban repeat offenders:

Figure 2: The Russian version of David Caruso is denied access and the event is logged.
sudo ldd /usr/sbin/sshd | grep libwrap
sudo apt-get install geoip-bin geoip-database -y
geoiplookup 8.8.8.8
#!/bin/bashif [ $# -ne 1 ]; then
echo "Usage: `basename $0` <ip>" 1>&2
exit 0 # return true in case of config issue
fi
slacksend() {
# Send a Slack message to a channel# Get your Slack webhook url here: # https://my.slack.com/services/new/incoming-webhook/
SLACK_WEBHOOK="UPDATEME"
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"$1\"}" \
https://hooks.slack.com/services/$SLACK_WEBHOOK
}
# UPPERCASE space-separated country codes to ACCEPT
COUNTRIES_WHITELIST="US AU"
HOSTNAME=$(hostname)
COUNTRY=$(/usr/bin/geoiplookup $1 | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1)
[[ $COUNTRY = "IP Address not found" || $COUNTRIES_WHITELIST =~ $COUNTRY ]] && RESPONSE="ALLOW" || RESPONSE="DENY"if [ $RESPONSE = "ALLOW" ]; then
logger "$RESPONSE sshd connection from $1 ($COUNTRY)"
exit 0
else
logger "$RESPONSE sshd connection from $1 ($COUNTRY)"
slacksend "$RESPONSE sshd connection from $1 ($COUNTRY)"
exit 1
fi
sudo chmod u+x /usr/local/bin/sshfilter.sh
sshd: ALL
sshd: ALL: aclexec /usr/local/bin/sshfilter.sh %a
sudo /usr/local/bin/sshfilter.sh 8.8.8.8
#!/bin/bashURL="https://software77.net/geo-ip/?DL=4"
curl --silent -o /tmp/GeoIP.dat $URL
if [ -f GeoIP.dat ]; then
rm -f /usr/share/GeoIP/GeoIP.dat
mv -f GeoIP.dat /usr/share/GeoIP/GeoIP.dat
else
echo "The GeoIP library could not be downloaded and updated"
fi
sudo chmod u+x /etc/cron.weekly/update-geoip
#!/usr/bin/env python3
'''\nsend_slack.py -c "#channel" -m "message to send" [-u "First Lastname" -e ":emoji:"]
'''from slacker import Slacker
import re
import getopt
import sys
import random
try:
opts, args = getopt.getopt(sys.argv[1:],"hc:m:e:u:",
["help","channel=","message=","emoji=","username="])
except getopt.GetoptError:
print(__doc__)
sys.exit(2)
message = None
channel = '#bad_actors'
emoji = None
username = None
for opt, arg in opts:
if opt == '-h':
print(__doc__)
sys.exit()
elif opt in ("-c", "--channel"):
channel = arg
elif opt in ("-m", "--message"):
message = arg
elif opt in ("-e", "--emoji"):
emoji = arg
elif opt in ("-u", "--username"):
username = arg
if message is None:
print(__doc__)
sys.exit(2)
if username is None:
bad_actors = [ "Jean-Claude Van Damme",
"Adam Sandler",
"Nicolas Cage",
"Chuck Norris",
"Brendan Fraser",
"Rob Schneider",
"David Caruso",
"Vin Diesel",
"William Shatner",
"Steven Seagal"
]
username = random.choice(bad_actors)
# Get your API token here:
# https://api.slack.com/web
slack = Slacker('YOUR_API_TOKEN')
if emoji is None:
# Based on the Country of origin, the Slack icon will be the flag
try:
country = re.findall('\(.*?\)',message)[-1]
except:
country = "None"
emoji=":flag-"+country[country.find("(")+1:country.find(")")].lower()+":"if len(emoji) > 9:
emoji=":no_entry:"
# Send a message to the channel
try:
slack.chat.post_message(channel, message, username=username, as_user='false',
icon_emoji=emoji)
except:
e = sys.exc_info()[0]
print("[ERROR] Something went wrong!",e)
raise SystemExit(1)
send_slack.py -c "#bad_actors" -m "Bad acting for some reason, advancing careers (KP)"

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store