Much accurate sudokill ssh login detect

domcloud · Dec 26, 2023 · ac9f6d4 · ac9f6d4
1 parent d56afe3
commit ac9f6d4
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 11 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "domcloud-bridge",
-  "version": "0.34.3",
+  "version": "0.35.0",
   "description": "Deployment runner for DOM Cloud",
   "main": "app.js",
   "engines": {

diff --git a/sudokill.js b/sudokill.js
@@ -11,7 +11,12 @@ const opts = cli.parse({
     ignore: ['i', 'Ignore user list', 'string', ''],
 });
 
-const output = exec('ps -eo user:20,pid,etimes,command --forest --no-headers', {
+const psOutput = exec('ps -eo user:20,pid,etimes,command --forest --no-headers', {
+    silent: true,
+    fatal: true,
+}).stdout.trim().split('\n');
+
+const whoOutput = exec('who', {
     silent: true,
     fatal: true,
 }).stdout.trim().split('\n');
@@ -26,24 +31,22 @@ ignoreUsers.root = true;
 
 // process and filter output
 const splitTest = /^([\w.-]+\+?) +(\d+) +(\d+) (.+)$/;
-const lists = output
+const lists = psOutput
     .map(x => splitTest.exec(x))
     .filter(x => x !== null && !ignoreUsers[x[1]]).map(match => ({
         raw: match[0],
         user: match[1],
         pid: match[2],
-        etimes: match[3],
+        etimes: parseInt(match[3]),
         command: match[4],
     }));
 
-for (const item of lists) {
-    if (item.command === ' \\_ (sd-pam)') {
-        ignoreUsers[item.user] = true;
-    }
+for (const item of whoOutput) {
+    ignoreUsers[item.match(/^[\w.-]+/)[0]] = true;
 }
 
 // scan for any processes not in ssh sessions or longer than 3 hours
-let candidates = lists.filter(x => parseInt(x.etimes) > 10800 || (x.command[0] != ' ' && !ignoreUsers[x.user]));
+let candidates = lists.filter(x => x.etimes > 10800 || (x.command[0] != ' ' && !ignoreUsers[x.user] && x.etimes > 60));
 
 if (opts.test) {
     console.log(candidates.map(x => x.raw).join('\n'));