[WBEL-users] iptables auto add baddies script?

Rob Rob <hard2hold@gmail.com>
Thu, 30 Dec 2004 11:11:13 -0800 

On Thu, 30 Dec 2004 13:03:49 -0500, Van Loggins <vloggins@turbocorp.com> wrote:
> Rob wrote:
> 
> >On Wed, 29 Dec 2004 14:17:13 -0500, Van Loggins <vloggins@turbocorp.com> wrote:
> >
> >
> >>If you are able to come up with a working script please post it to the list, I too have been looking for a automated solution for this problem that uses a preset number of attempts before it drops the incoming ip address. I have a CentOS SSH server (converted over from whitebox a while back) that I use to gain remote access to our company network from home when I have to log in to work on problems remotely.
> >>
> >>I currently am using portsentry and I manually run a script everytime I get a warning message from portsentry about someone attempting to hack into the server.
> >>
> >>my block script is pretty basic but just in case anyone wants to look at it here it is
> >>
> >>#!/bin/bash
> >>printf "Enter the Ip address to be blocked? "
> >>read TARGET
> >>TARGET=$TARGET
> >>iptables -I INPUT -s $TARGET -j DROP
> >>
> >>I look forward to seeing your finished script Rob
> >>
> >>Thanks,
> >>
> >>Van Loggins
> >>
> >>--
> >>Van Loggins        vloggins@turbocorp.com
> >>Assistant System Administrator - ESC Dept
> >>      _
> >>     -o)
> >>     /\\
> >>    _\_v
> >>Linux User #316727
> >>678-989-3052
> >>Turbo Logistics
> >>http://www.turbocorp.com
> >>
> >>
> >>
> >>
> >
> >This is what I have so far, and it works.  Need to get a way to add ip
> >address's for it to skip over though:
> >
> >#!/bin/bash
> ># check for hack attempts and email alerts if seen
> >searchdate=`date +'%b %e'`
> >searchtime=`date +'%r'`
> >tail -n 100 /var/log/secure > /tmp/output.txt
> >grep "Failed password" /tmp/output.txt > /tmp/faillogin
> >if [ $? = 0 ]
> >        then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
> >        for i in `cat /tmp/awkip.txt`
> >        do
> >                iptables -A INPUT -s $i/32 -j DROP
> >        done
> >        mail someone@somewhere.com -s "Failed login via SSH on
> >$searchdate at $searchtime" < /tmp/faillogin
> >fi
> >
> >Not pretty, and need a little more tweaking.
> >
> >
> >
> Rob
> 
> I did some googling and I found a program called swatch that should do
> what I was wanting it to do.
> 
> http://swatch.sourceforge.net
> 
> here's a link to a thread on the fedora users list at redhat that gives
> some useful info about how to set swatch up as a service and a config
> file that can be used to have it automatically block failed login
> attempts through ssh
> 
> http://www.redhat.com/archives/fedora-list/2004-October/msg02959.html
> 
> the only gotcha is that you have to go find rpms for the perl modules
> that swatch needs to run.
> 
> I found that the redhat 9 version rpms seem to work without any issues
> on my hybrid Whitebox/CentOS SSH system, they should work without issues
> on any Redhat Enterprise 3.0 based Distro.
> 
> I still don't 100% trust this util until I see how it does on the next
> real hack attempt on my ssh server, so portsentry will be staying as a
> backup until after I see if swatch is working properly.
> 
> Hope this info helps,
> 
> Have a great Day
> 
> Van
> 
> --
> Van Loggins        vloggins@turbocorp.com
> Assistant System Administrator - ESC Dept
>       _
>      -o)
>      /\\
>     _\_v
> Linux User #316727
> 678-989-3052
> Turbo Logistics
> http://www.turbocorp.com
> 
> 
Will give this a look see, as I am getting worn out writing this
script.   Many thanks for the link!

Rob