rootninja

Want to have some fun with users that keep ssh’ing to your box? Let them in, then kill them right away. I don’t even remember when/why I wrote this silly script, but here it is. There’s a lot better ways you could do this, and if you want any real ssh security, don’t even let them log in at all.

#!/bin/bash

# Set INSTAKILL to anything but 0 to immediately kill incoming ssh
INSTAKILL=1

WHOAMI=`whoami`
if [[ $WHOAMI != root ]]; then
  echo "Please run this as root --> $ sudo $0"
  exit 1
fi

iiii=0
while true; do
  CURR=`grep "Accepted pass" /var/log/secure | tail -1`

  if [[ "$CURR" != "$LAST" ]] && [ $iiii != 0 ]; then
    DETAILS=`echo $CURR | awk '{print $1 " " $2 " " $3 " " $4 " " $5 " " $9 " " $11}'`
    PID=`echo "$DETAILS" | awk '{print $5}' | sed -e 's/^.*\[//' -e 's/\]:.*//'`
    FROM=`echo "$DETAILS" | awk '{print $7}'`
    DNS="Unknown"
    DNS=`nslookup $FROM --timeout=2 | grep name | sed -e 's/.*name = //' -e 's/\..*//'`
    TIME=`echo "$DETAILS" | awk '{print $1 " " $2 " @ " $3}'`

    if [ $INSTAKILL != 0 ]; then
      USER_INPUT=y
    else
      read -p "Kill ssh (pid=$PID) from $FROM ($DNS) on $TIME? [y/N]" -t 15 USER_INPUT
    fi

    if [[ $USER_INPUT == y ]] || [[ $USER_INPUT == Y ]]; then
      if [[ `ps -p $PID | grep ssh` == "" ]]; then
        echo "Too late, user vanished..."
      else
        kill -15 $PID
BOOM! Headshot!!!"
      fi
      echo "Resuming SSH Monitoring..."
    else
      echo " Resuming SSH Monitoring..."
    fi
  fi

  LAST=$CURR
  sleep 2
  iiii=1
done