Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: darren kirby <bulliver@...>
Subject: Re: [OT?] automatically firewalling off IPs
Date: Sun, 2 Oct 2005 15:20:48 -0700
quoth the Jeremy Brake:
> Hey all,
>
> I'm looking for an app/script which can monitor for failed ssh logins,
> and block using IPTables for $time after $number of failed logins (an
> exclusion list would be handy as well) so that I can put a quick stop to
> these niggly brute-force ssh "attacks" I seem to be getting more and
> more often.
>
> Anyone have any ideas?
>
> Thanks, Jeremy B

Here is a perl script I wrote to scan my exim and apache logs for miscreants 
to ban. It doesn't support $time or $number of login attempts, because I 
don't allow 'three strikes', one dumb move and your banned. The length of the 
ban lasts until the iptables rules are flushed and reloaded, which you can 
either script, or do manually.

Anyway, I've commented the lines you need to change for your specific purpose, 
and my script checks 3 logfiles where you will probably only need one, so 
I've edited it as such. Hopefully you can edit this to your purpose else, 
just give you some ideas of where to start. This script does assume that 
iptables has a user-defined chain 'banned' with a policy of 'DROP'....

#########################
#!/usr/bin/perl -w

open ALOG, "/var/log/apache2/error_log"; # change this to your logfile

chomp(@alines = <ALOG>);
foreach $aline (@alines) {
    if ($aline =~ m/URI too long/) {  # change 'URI too long' to the pattern
        @aip = split / /, $aline;            # you want to match in your log
        my $aip = "$aip[7]\n";          #  <-- you may have to edit this 
        $aip =~ s/[\]]//;                     #  line to match format of your  
        push(@arbl, $aip);                 #  logs
        }
    }

close ALOG;
@arbl = sort @arbl;

# just like unix uniq
%seen = ();
foreach $item (@arbl) {
    push(@arbls, $item) unless $seen{$item}++;
    }

# grab already banned ip addresses.
foreach $rule (`iptables -L banned -n`) {
    chomp($rule);
    if ($rule =~ m/[0-255]\.[0-255]\.[0-255]\.[0-255]/) {
        $rule =~ s/\s+/ /g;
        @_ = split / /, $rule;
        push (@banned, $_[3]);
        }
    }

$i = 0;
$already_banned = 0;

foreach $bl (@arbls) {
    chomp($bl);
    foreach $ip (@banned) {
        if ($bl eq $ip) {
            $already_banned = 1;
            delete $arbls[$i];
            }
        }
    if (!$already_banned) {
        print "banning $bl\n";
        system "iptables -A banned -s $bl -j DROP";
        }
    else {
        $already_banned  = 0;
        print "$bl\t already banned\n";
        }
    $i++;
    }
######################

Now set this up as a cron task (I run every 15 minutes)
Hope this helps...
-d
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
Attachment:
pgpQ8pI0OTnUH.pgp (PGP signature)
References:
[OT?] automatically firewalling off IPs
-- Jeremy Brake
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: [OT?] automatically firewalling off IPs
Next by thread:
Re: [OT?] automatically firewalling off IPs
Previous by date:
Re: [OT?] automatically firewalling off IPs
Next by date:
Re: [OT?] automatically firewalling off IPs


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.