[WBEL-users] iptables auto add baddies script?
Van Loggins
vloggins@turbocorp.com
Mon, 03 Jan 2005 09:01:07 -0500
Thanks Rob, you're the man this script looks like it will work great.
I was not able to get swatch working properly and we had another hack
attempt yesterday morning on our ssh server.
I'm going to try out your script on my ssh box, do you have any
suggestions about how often I should have the system run it using cron?
I'm thinking that it should probably be run every 12 hours, or possibly
once an hour if it won't cause any problems.
Thanks again,
Van
Rob wrote:
>Ignore that script, wrong one, way too late here. Here is the right one:
>
>#SSH monitor script
>#12/30/04
>searchdate=`date +'%b %e'`
>searchtime=`date +'%r'`
>grep "$searchdate" /var/log/secure > /tmp/secure
>rm /root/iptables.tmp -f
>cp /etc/sysconfig/iptables /root/iptables.tmp
>grep "Failed password for root" /tmp/secure > /tmp/faillogin
>if [ $? = 0 ]
> then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
> for i in `cat /tmp/awkip.txt`
> do
> awk '{print} /#baddies/ {print "-A RH-Firewall-1-INPUT
>-s '$i'/32 -j DROP"}' /root/iptables.tmp > /root/iptables
> cp /root/iptables /etc/sysconfig/iptables -f
> service iptables restart
> #iptables -A INPUT -s $i/32 -j DROP
> done
> /usr/sbin/logrotate -f /etc/logrotate.conf
> mail rob@robhq.com -s "Failed login via SSH on $searchdate at
>$searchtime" < /tmp/faillogin
>fi
>
>grep "Failed password illegal user" /tmp/secure > /tmp/faillogin
>if [ $? = 0 ]
> then awk '{print $13}' /tmp/faillogin > /tmp/awkip.txt
> for i in `cat /tmp/awkip.txt`
> do
> awk '{print} /#baddies/ {print "-A RH-Firewall-1-INPUT
>-s '$i'/32 -j DROP"}' /root/iptables.tmp > /etc/sysconfig/iptables
> #iptables -A INPUT -s $i/32 -j DROP
> service iptables restart
> done
> /usr/sbin/logrotate -f /etc/logrotate.conf
> mail rob@robhq.com -s "Failed login via SSH on $searchdate at
>$searchtime" < /tmp/faillogin
>fi
>
>
>
--
Van Loggins vloggins@turbocorp.com
Assistant System Administrator - ESC Dept
_
-o)
/\\
_\_v
Linux User #316727
678-989-3052
Turbo Logistics
http://www.turbocorp.com