[WBEL-users] iptables auto add baddies script?

[Rob]

On Wed, 29 Dec 2004 14:17:13 -0500, Van Loggins <vloggins@turbocorp.com> wrote:
> If you are able to come up with a working script please post it to the list, I too have been looking for a automated solution for this problem that uses a preset number of attempts before it drops the incoming ip address. I have a CentOS SSH server (converted over from whitebox a while back) that I use to gain remote access to our company network from home when I have to log in to work on problems remotely.
> 
> I currently am using portsentry and I manually run a script everytime I get a warning message from portsentry about someone attempting to hack into the server.
> 
> my block script is pretty basic but just in case anyone wants to look at it here it is
> 
> #!/bin/bash
> printf "Enter the Ip address to be blocked? "
> read TARGET
> TARGET=$TARGET
> iptables -I INPUT -s $TARGET -j DROP
> 
> I look forward to seeing your finished script Rob
> 
> Thanks,
> 
> Van Loggins
> 
> --
> Van Loggins        vloggins@turbocorp.com
> Assistant System Administrator - ESC Dept
>       _
>      -o)
>      /\\
>     _\_v
> Linux User #316727
> 678-989-3052
> Turbo Logistics
> http://www.turbocorp.com
> 
> 

This is what I have so far, and it works.  Need to get a way to add ip
address's for it to skip over though:

#!/bin/bash
# check for hack attempts and email alerts if seen
searchdate=`date +'%b %e'`
searchtime=`date +'%r'`
tail -n 100 /var/log/secure > /tmp/output.txt
grep "Failed password" /tmp/output.txt > /tmp/faillogin
if [ $? = 0 ]
        then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
        for i in `cat /tmp/awkip.txt`
        do
                iptables -A INPUT -s $i/32 -j DROP
        done
        mail someone@somewhere.com -s "Failed login via SSH on
$searchdate at $searchtime" < /tmp/faillogin
fi

Not pretty, and need a little more tweaking.