[WBEL-users] iptables auto add baddies script?
Rob
Rob <hard2hold@gmail.com>
Tue, 28 Dec 2004 13:31:16 -0800
I am working on creating a script that notifies and blocks a person
who is trying to hack into ssh. So far, I have this:
# check for hack attempts and email alerts if seen
searchdate=`date +'%b %e'`
searchtime=`date +'%r'`
tail -n 100 /var/log/messages > /tmp/output.txt
grep "authentication failure" /tmp/output.txt > /tmp/warning.txt
if [ $? = 0 ]
then mail you@somewhere.net -s "Failed login via SSH on
$searchdate at $searchtime" < /tmp/warning.txt
fi
It is the rest I am having issues with. I found this script on
google, but it does not do everything I want:
#!/bin/sh
# Settings:
iptables="/sbin/iptables"
blockchain="blocking"
blocktarget="blacklist"
# This program will match lines:
# Illegal user (userid) from (host)
# Failed password for (userid) from (host) (...)
# and adds (host) to the iptables blacklist chain
# $blockchain.
#
#This chain is cleared regularly by a separate
# script to let entries expire after a while.
while read mm dd hms localhostname sshd word1 word2 word3 word4 host1
host2 rest; do
if [ "$word1 $word2 $word4" = "Illegal user from" ]; then
$iptables -A $blockchain -s ${host1}/32 -j $blocktarget
elif [ "$word1 $word2 $word3 $host1" = "Failed password for from" ]; then
$iptables -A $blockchain -s ${host2}/32 -j $blocktarget
fi
done
the problem I have is:
A) I want to block the ip addy only if it happens more the X times
B) The logging in /var/log/messages is coming in as a reverse ip
entry. anyway to fix that?
Rob