Hi all, Recently I'm receiving a lot of failed ssh login attempts on my box for user root as well as a whole lot of other users which doesn't even exist. I'm getting tired of blocking these IPs manually everyday. Is there any software that can look in the logs and put these IPs in iptables to drop automatically (either in a daemon mode or via cron)?
TIA -R'twick
Try this
#!/bin/bash
cat /scripts/bad-ips > /scripts/bad-ssh
cat /var/log/messages | grep sshd | grep Invalid | sed -e 's/^.*from //g' | sort -u | uniq >> /scripts/bad-ssh
zcat /var/log/messages.[1-25].gz | grep sshd | grep Invalid | sed -e 's/^.*from //g' | sort -u | uniq >> /scripts/bad-ssh
cat /scripts/bad-ssh |sed -e 's/::ffff://g'|sort -u |sort -n | uniq > /scripts/bad-ips
/sbin/iptables -F BLACKLIST
echo "Writing IPTables Rulesets"
for i in `cat /scripts/bad-ips`
do
/sbin/iptables -A BLACKLIST -p ALL -i eth1 -s $i/32 -j LOG --log-prefix "BLACKLISTED: "
/sbin/iptables -A BLACKLIST -p ICMP -i eth1 -s $i/32 -j DROP
/sbin/iptables -A BLACKLIST -p TCP -i eth1 -s $i/32 -j REJECT
/sbin/iptables -A BLACKLIST -p UDP -i eth1 -s $i/32 -j REJECT
echo -n "."
done
echo
echo "Done."iptables -A BLACKLIST -j RETURN
-- gentoo-user@gentoo.org mailing list
