[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Great IP Auto-Ban script

To: luci-discuss@luci.org
Subject: Re: Great IP Auto-Ban script
From: "Mike808" <mike808@users.sourceforge.net>
Date: Fri, 1 Sep 2006 16:18:07 -0500 (CDT)
In-Reply-To: <OFEFF8B9B2.F0F8A0F7-ON852571DC.006D66BD-852571DC.006DF74F@us.ibm.com>
Organization: Linux Users of Central Illinois
Reply-To: luci-discuss@luci.org
Sender: luci-discuss-owner@luci.org

Here's my current script. It implements various thresholds for various probes.
Some I'll allow a couple of attempts, others, one try and you're done.
You also want something like the following in your /etc/ssh/sshd_config file.

# Deny system users that would never login
DenyUsers root adm mysql postfix apache rpm news mail operator named games ftp ntp nobody halt shutdown sync daemon webalizer sshd gopher uucp vcsa smmsp lp bin www postgres webmaster lpd admin postmaster

here's the script. I have an anacron job to run every minute.
#!/bin/bash
#
log_file=${1:-/var/log/secure}
deny_file=${2:-/etc/hosts.deny}
touch $deny_file
#
# Abort the script if the log file has not been modified since it has been read.
builtin test ! -N $log_file && exit 0
#
function deny_ips()
{
   list=${list:?}
   threshold=${threshold:?}
   msg=${msg:?}
   echo "$list" | sort | uniq -c | while read count host
   do
      msg2="$msg"
      [ $count -le $threshold ] && continue
      ip=`echo "$host" | egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'`
      if [ "$host" != "$ip" ]; then
        msg2="$msg2 - $host"
        host=`echo "$host" | sed -e 's/ *user=.*$//'`
        ip=`host $host`
        if [ 0 -ne `echo "$ip" | grep 'not found' | wc -l` ]; then
          (printf "# `date +"%Y-%m-%d %R"` (%s) Unable to add $msg2\n" $count) >> $deny_file
          continue
        fi
        ip=`echo "$ip" | sed -e 's/.*has address //'`
      fi
      [ 0 -ne `grep -c "$ip" $deny_file` ] && continue
      (printf "ALL: %12s # added `date +"%Y-%m-%d %R"` (%s $msg2)\n" "$ip" $count) >> $deny_file
   done
}

threshold=3
list=`grep ': Illegal user' $log_file | sed -e 's/  */ /g' | cut -d' ' -f10`
msg='Illegal user attempts'
[ ! -z "$list" ] && deny_ips
#
threshold=0
list=`grep 'Failed password for root' $log_file | sed -e 's/  */ /g' | cut -d' ' -f11`
msg='Illegal root login attempts'
[ ! -z "$list" ] && deny_ips
#
threshold=0
list=`grep 'Failed password for illegal user root' $log_file | sed -e 's/  */ /g' | cut -d' ' -f13`
msg='Illegal user root login attempts'
[ ! -z "$list" ] && deny_ips
#
threshold=6
list=`grep 'Failed password for illegal user ' $log_file | sed -e 's/  */ /g' | cut -d' ' -f13`
msg='Failed password attempts'
[ ! -z "$list" ] && deny_ips
#
# Handle messages file
threshold=3
list=`egrep ': authentication failure; .*rhost=' $log_file | sed -e 's/.*rhost=//'`
msg='Authentication failures'
[ ! -z "$list" ] && deny_ips


Mike/

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

References:
- Re: Great IP Auto-Ban script
  - From: David Desrosiers <daviddes@us.ibm.com>

Prev by Date: Re: Great IP Auto-Ban script
Next by Date: Re: Great IP Auto-Ban script
Prev by thread: Re: Great IP Auto-Ban script
Next by thread: Re: Great IP Auto-Ban script
Index(es):
- Date
- Thread