misc/109047: cut utility reads off by one place when day (date) is a double digit

Tim cyberlord at cyber-wizard.com
Sun Feb 11 14:10:07 UTC 2007 

>Number:         109047
>Category:       misc
>Synopsis:       cut utility reads off by one place when day (date) is a double digit
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 11 14:10:05 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Tim
>Release:        FreeBSD 5.4-RELEASE
>Organization:
n/a
>Environment:
FreeBSD hercmud.net 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun Sep 18 21:04:28 UTC 2005
>Description:
When the day (date) reaches double digits the cut utility/program somehow reads the field as off by one. I'm not sure if this is a problem with the auth.log or with cut itself but my bet is on cut. 

I have a script that reads auth.log and filters out bad login attempts and writes to hosts.allow. When the date reaches double digits I have to adjust my script accordingly.

Here is the offending line in my script.

for IP in `grep sshd /var/log/auth.log|grep "illegal user"|cut -d " " -f14` 0.0.0.0; do

I have to change the -f14 to -f13 during double digit days and then again when the month rolls over set it back to -f14.

Not only is having to edit the script twice a month annoying, it shortens the length of time one can deny a host that attempts login during the single digit days. Once I adjust the offending line to compensate for the double digit day it incorectly reads the single digit day lines.
>How-To-Repeat:

>Fix:
Run the following script on single and double days:

#!/usr/local/bin/bash
LAST_IP=0.0.0.0
COUNT=1

# Set MAXCOUNT to the maximum failures allowed before blacklisting
# Remember though, the script gets run once per minute from cron, so
# tecnically the hacker has about 1 minute at maximum to attempt login
# and that really is the limiting factor in limiting the length of the attack
MAXCOUNT=5

for IP in `grep sshd /var/log/auth.log|grep "illegal user"|cut -d " " -f14` 0.0.0.0; do
  if [ ${LAST_IP} == ${IP} ]; then
     let COUNT=${COUNT}+1
  else
     if [ ${COUNT} -ge ${MAXCOUNT} ]; then
#        echo "sshd: ${LAST_IP} : deny"
# Now echo some output for crontab to email to you once in a while - comment it out if you don't care
        echo ${COUNT} attempts from ${LAST_IP}
    fi
     LAST_IP=${IP}
     COUNT=1
  fi
done
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list