[WBEL-users] iptables auto add baddies script?
Nick Lott
nick.lott@edevteam.com
Wed, 29 Dec 2004 09:17:42 +0000
Have you looked at PortSentry? I haven't used it myself, but I believe
that it will do what you want (and more).
Cheers,
Nick
Rob wrote:
> I am working on creating a script that notifies and blocks a person
> who is trying to hack into ssh. So far, I have this:
>
> # check for hack attempts and email alerts if seen
> searchdate=`date +'%b %e'`
> searchtime=`date +'%r'`
> tail -n 100 /var/log/messages > /tmp/output.txt
> grep "authentication failure" /tmp/output.txt > /tmp/warning.txt
> if [ $? = 0 ]
> then mail you@somewhere.net -s "Failed login via SSH on
> $searchdate at $searchtime" < /tmp/warning.txt
> fi
>
>
> It is the rest I am having issues with. I found this script on
> google, but it does not do everything I want:
>
> #!/bin/sh
>
> # Settings:
> iptables="/sbin/iptables"
> blockchain="blocking"
> blocktarget="blacklist"
>
> # This program will match lines:
> # Illegal user (userid) from (host)
> # Failed password for (userid) from (host) (...)
> # and adds (host) to the iptables blacklist chain
> # $blockchain.
> #
> #This chain is cleared regularly by a separate
> # script to let entries expire after a while.
>
> while read mm dd hms localhostname sshd word1 word2 word3 word4 host1
> host2 rest; do
> if [ "$word1 $word2 $word4" = "Illegal user from" ]; then
> $iptables -A $blockchain -s ${host1}/32 -j $blocktarget
> elif [ "$word1 $word2 $word3 $host1" = "Failed password for from" ]; then
> $iptables -A $blockchain -s ${host2}/32 -j $blocktarget
> fi
> done
>
> the problem I have is:
>
> A) I want to block the ip addy only if it happens more the X times
>
> B) The logging in /var/log/messages is coming in as a reverse ip
> entry. anyway to fix that?
>
> Rob
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
>