Gentoo Archives: gentoo-security

From: darren kirby <bulliver@×××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:50
Message-Id: 200510021520.53341.bulliver@badcomputer.org
In Reply to: [gentoo-security] [OT?] automatically firewalling off IPs by Jeremy Brake
quoth the Jeremy Brake:
> Hey all, > > I'm looking for an app/script which can monitor for failed ssh logins, > and block using IPTables for $time after $number of failed logins (an > exclusion list would be handy as well) so that I can put a quick stop to > these niggly brute-force ssh "attacks" I seem to be getting more and > more often. > > Anyone have any ideas? > > Thanks, Jeremy B
Here is a perl script I wrote to scan my exim and apache logs for miscreants to ban. It doesn't support $time or $number of login attempts, because I don't allow 'three strikes', one dumb move and your banned. The length of the ban lasts until the iptables rules are flushed and reloaded, which you can either script, or do manually. Anyway, I've commented the lines you need to change for your specific purpose, and my script checks 3 logfiles where you will probably only need one, so I've edited it as such. Hopefully you can edit this to your purpose else, just give you some ideas of where to start. This script does assume that iptables has a user-defined chain 'banned' with a policy of 'DROP'.... ######################### #!/usr/bin/perl -w open ALOG, "/var/log/apache2/error_log"; # change this to your logfile chomp(@alines = <ALOG>); foreach $aline (@alines) { if ($aline =~ m/URI too long/) { # change 'URI too long' to the pattern @aip = split / /, $aline; # you want to match in your log my $aip = "$aip[7]\n"; # <-- you may have to edit this $aip =~ s/[\]]//; # line to match format of your push(@arbl, $aip); # logs } } close ALOG; @arbl = sort @arbl; # just like unix uniq %seen = (); foreach $item (@arbl) { push(@arbls, $item) unless $seen{$item}++; } # grab already banned ip addresses. foreach $rule (`iptables -L banned -n`) { chomp($rule); if ($rule =~ m/[0-255]\.[0-255]\.[0-255]\.[0-255]/) { $rule =~ s/\s+/ /g; @_ = split / /, $rule; push (@banned, $_[3]); } } $i = 0; $already_banned = 0; foreach $bl (@arbls) { chomp($bl); foreach $ip (@banned) { if ($bl eq $ip) { $already_banned = 1; delete $arbls[$i]; } } if (!$already_banned) { print "banning $bl\n"; system "iptables -A banned -s $bl -j DROP"; } else { $already_banned = 0; print "$bl\t already banned\n"; } $i++; } ###################### Now set this up as a cron task (I run every 15 minutes) Hope this helps... -d -- darren kirby :: Part of the problem since 1976 :: http://badcomputer.org "...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie and Ken Thompson, June 1972