[WBEL-users] iptables auto add baddies script?
Rob
Rob <hard2hold@gmail.com>
Thu, 30 Dec 2004 11:11:13 -0800
On Thu, 30 Dec 2004 13:03:49 -0500, Van Loggins <vloggins@turbocorp.com> wrote:
> Rob wrote:
>
> >On Wed, 29 Dec 2004 14:17:13 -0500, Van Loggins <vloggins@turbocorp.com> wrote:
> >
> >
> >>If you are able to come up with a working script please post it to the list, I too have been looking for a automated solution for this problem that uses a preset number of attempts before it drops the incoming ip address. I have a CentOS SSH server (converted over from whitebox a while back) that I use to gain remote access to our company network from home when I have to log in to work on problems remotely.
> >>
> >>I currently am using portsentry and I manually run a script everytime I get a warning message from portsentry about someone attempting to hack into the server.
> >>
> >>my block script is pretty basic but just in case anyone wants to look at it here it is
> >>
> >>#!/bin/bash
> >>printf "Enter the Ip address to be blocked? "
> >>read TARGET
> >>TARGET=$TARGET
> >>iptables -I INPUT -s $TARGET -j DROP
> >>
> >>I look forward to seeing your finished script Rob
> >>
> >>Thanks,
> >>
> >>Van Loggins
> >>
> >>--
> >>Van Loggins vloggins@turbocorp.com
> >>Assistant System Administrator - ESC Dept
> >> _
> >> -o)
> >> /\\
> >> _\_v
> >>Linux User #316727
> >>678-989-3052
> >>Turbo Logistics
> >>http://www.turbocorp.com
> >>
> >>
> >>
> >>
> >
> >This is what I have so far, and it works. Need to get a way to add ip
> >address's for it to skip over though:
> >
> >#!/bin/bash
> ># check for hack attempts and email alerts if seen
> >searchdate=`date +'%b %e'`
> >searchtime=`date +'%r'`
> >tail -n 100 /var/log/secure > /tmp/output.txt
> >grep "Failed password" /tmp/output.txt > /tmp/faillogin
> >if [ $? = 0 ]
> > then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
> > for i in `cat /tmp/awkip.txt`
> > do
> > iptables -A INPUT -s $i/32 -j DROP
> > done
> > mail someone@somewhere.com -s "Failed login via SSH on
> >$searchdate at $searchtime" < /tmp/faillogin
> >fi
> >
> >Not pretty, and need a little more tweaking.
> >
> >
> >
> Rob
>
> I did some googling and I found a program called swatch that should do
> what I was wanting it to do.
>
> http://swatch.sourceforge.net
>
> here's a link to a thread on the fedora users list at redhat that gives
> some useful info about how to set swatch up as a service and a config
> file that can be used to have it automatically block failed login
> attempts through ssh
>
> http://www.redhat.com/archives/fedora-list/2004-October/msg02959.html
>
> the only gotcha is that you have to go find rpms for the perl modules
> that swatch needs to run.
>
> I found that the redhat 9 version rpms seem to work without any issues
> on my hybrid Whitebox/CentOS SSH system, they should work without issues
> on any Redhat Enterprise 3.0 based Distro.
>
> I still don't 100% trust this util until I see how it does on the next
> real hack attempt on my ssh server, so portsentry will be staying as a
> backup until after I see if swatch is working properly.
>
> Hope this info helps,
>
> Have a great Day
>
> Van
>
> --
> Van Loggins vloggins@turbocorp.com
> Assistant System Administrator - ESC Dept
> _
> -o)
> /\\
> _\_v
> Linux User #316727
> 678-989-3052
> Turbo Logistics
> http://www.turbocorp.com
>
>
Will give this a look see, as I am getting worn out writing this
script. Many thanks for the link!
Rob