[WBEL-users] iptables auto add baddies script?
Rob
Rob <hard2hold@gmail.com>
Wed, 29 Dec 2004 12:23:38 -0800
On Wed, 29 Dec 2004 14:17:13 -0500, Van Loggins <vloggins@turbocorp.com> wrote:
> If you are able to come up with a working script please post it to the list, I too have been looking for a automated solution for this problem that uses a preset number of attempts before it drops the incoming ip address. I have a CentOS SSH server (converted over from whitebox a while back) that I use to gain remote access to our company network from home when I have to log in to work on problems remotely.
>
> I currently am using portsentry and I manually run a script everytime I get a warning message from portsentry about someone attempting to hack into the server.
>
> my block script is pretty basic but just in case anyone wants to look at it here it is
>
> #!/bin/bash
> printf "Enter the Ip address to be blocked? "
> read TARGET
> TARGET=$TARGET
> iptables -I INPUT -s $TARGET -j DROP
>
> I look forward to seeing your finished script Rob
>
> Thanks,
>
> Van Loggins
>
> --
> Van Loggins vloggins@turbocorp.com
> Assistant System Administrator - ESC Dept
> _
> -o)
> /\\
> _\_v
> Linux User #316727
> 678-989-3052
> Turbo Logistics
> http://www.turbocorp.com
>
>
This is what I have so far, and it works. Need to get a way to add ip
address's for it to skip over though:
#!/bin/bash
# check for hack attempts and email alerts if seen
searchdate=`date +'%b %e'`
searchtime=`date +'%r'`
tail -n 100 /var/log/secure > /tmp/output.txt
grep "Failed password" /tmp/output.txt > /tmp/faillogin
if [ $? = 0 ]
then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
for i in `cat /tmp/awkip.txt`
do
iptables -A INPUT -s $i/32 -j DROP
done
mail someone@somewhere.com -s "Failed login via SSH on
$searchdate at $searchtime" < /tmp/faillogin
fi
Not pretty, and need a little more tweaking.