[WBEL-users] iptables auto add baddies script?
Van Loggins
vloggins@turbocorp.com
Thu, 30 Dec 2004 13:03:49 -0500
Rob wrote:
>On Wed, 29 Dec 2004 14:17:13 -0500, Van Loggins <vloggins@turbocorp.com> wrote:
>
>
>>If you are able to come up with a working script please post it to the list, I too have been looking for a automated solution for this problem that uses a preset number of attempts before it drops the incoming ip address. I have a CentOS SSH server (converted over from whitebox a while back) that I use to gain remote access to our company network from home when I have to log in to work on problems remotely.
>>
>>I currently am using portsentry and I manually run a script everytime I get a warning message from portsentry about someone attempting to hack into the server.
>>
>>my block script is pretty basic but just in case anyone wants to look at it here it is
>>
>>#!/bin/bash
>>printf "Enter the Ip address to be blocked? "
>>read TARGET
>>TARGET=$TARGET
>>iptables -I INPUT -s $TARGET -j DROP
>>
>>I look forward to seeing your finished script Rob
>>
>>Thanks,
>>
>>Van Loggins
>>
>>--
>>Van Loggins vloggins@turbocorp.com
>>Assistant System Administrator - ESC Dept
>> _
>> -o)
>> /\\
>> _\_v
>>Linux User #316727
>>678-989-3052
>>Turbo Logistics
>>http://www.turbocorp.com
>>
>>
>>
>>
>
>This is what I have so far, and it works. Need to get a way to add ip
>address's for it to skip over though:
>
>#!/bin/bash
># check for hack attempts and email alerts if seen
>searchdate=`date +'%b %e'`
>searchtime=`date +'%r'`
>tail -n 100 /var/log/secure > /tmp/output.txt
>grep "Failed password" /tmp/output.txt > /tmp/faillogin
>if [ $? = 0 ]
> then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
> for i in `cat /tmp/awkip.txt`
> do
> iptables -A INPUT -s $i/32 -j DROP
> done
> mail someone@somewhere.com -s "Failed login via SSH on
>$searchdate at $searchtime" < /tmp/faillogin
>fi
>
>Not pretty, and need a little more tweaking.
>
>
>
Rob
I did some googling and I found a program called swatch that should do
what I was wanting it to do.
http://swatch.sourceforge.net
here's a link to a thread on the fedora users list at redhat that gives
some useful info about how to set swatch up as a service and a config
file that can be used to have it automatically block failed login
attempts through ssh
http://www.redhat.com/archives/fedora-list/2004-October/msg02959.html
the only gotcha is that you have to go find rpms for the perl modules
that swatch needs to run.
I found that the redhat 9 version rpms seem to work without any issues
on my hybrid Whitebox/CentOS SSH system, they should work without issues
on any Redhat Enterprise 3.0 based Distro.
I still don't 100% trust this util until I see how it does on the next
real hack attempt on my ssh server, so portsentry will be staying as a
backup until after I see if swatch is working properly.
Hope this info helps,
Have a great Day
Van
--
Van Loggins vloggins@turbocorp.com
Assistant System Administrator - ESC Dept
_
-o)
/\\
_\_v
Linux User #316727
678-989-3052
Turbo Logistics
http://www.turbocorp.com