Gentoo Archives: gentoo-security

From: darren kirby <bulliver@×××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:50
Message-Id: 200510021520.53341.bulliver@badcomputer.org
In Reply to: [gentoo-security] [OT?] automatically firewalling off IPs by Jeremy Brake
1 quoth the Jeremy Brake:
2 > Hey all,
3 >
4 > I'm looking for an app/script which can monitor for failed ssh logins,
5 > and block using IPTables for $time after $number of failed logins (an
6 > exclusion list would be handy as well) so that I can put a quick stop to
7 > these niggly brute-force ssh "attacks" I seem to be getting more and
8 > more often.
9 >
10 > Anyone have any ideas?
11 >
12 > Thanks, Jeremy B
13
14 Here is a perl script I wrote to scan my exim and apache logs for miscreants
15 to ban. It doesn't support $time or $number of login attempts, because I
16 don't allow 'three strikes', one dumb move and your banned. The length of the
17 ban lasts until the iptables rules are flushed and reloaded, which you can
18 either script, or do manually.
19
20 Anyway, I've commented the lines you need to change for your specific purpose,
21 and my script checks 3 logfiles where you will probably only need one, so
22 I've edited it as such. Hopefully you can edit this to your purpose else,
23 just give you some ideas of where to start. This script does assume that
24 iptables has a user-defined chain 'banned' with a policy of 'DROP'....
25
26 #########################
27 #!/usr/bin/perl -w
28
29 open ALOG, "/var/log/apache2/error_log"; # change this to your logfile
30
31 chomp(@alines = <ALOG>);
32 foreach $aline (@alines) {
33 if ($aline =~ m/URI too long/) { # change 'URI too long' to the pattern
34 @aip = split / /, $aline; # you want to match in your log
35 my $aip = "$aip[7]\n"; # <-- you may have to edit this
36 $aip =~ s/[\]]//; # line to match format of your
37 push(@arbl, $aip); # logs
38 }
39 }
40
41 close ALOG;
42 @arbl = sort @arbl;
43
44 # just like unix uniq
45 %seen = ();
46 foreach $item (@arbl) {
47 push(@arbls, $item) unless $seen{$item}++;
48 }
49
50 # grab already banned ip addresses.
51 foreach $rule (`iptables -L banned -n`) {
52 chomp($rule);
53 if ($rule =~ m/[0-255]\.[0-255]\.[0-255]\.[0-255]/) {
54 $rule =~ s/\s+/ /g;
55 @_ = split / /, $rule;
56 push (@banned, $_[3]);
57 }
58 }
59
60 $i = 0;
61 $already_banned = 0;
62
63 foreach $bl (@arbls) {
64 chomp($bl);
65 foreach $ip (@banned) {
66 if ($bl eq $ip) {
67 $already_banned = 1;
68 delete $arbls[$i];
69 }
70 }
71 if (!$already_banned) {
72 print "banning $bl\n";
73 system "iptables -A banned -s $bl -j DROP";
74 }
75 else {
76 $already_banned = 0;
77 print "$bl\t already banned\n";
78 }
79 $i++;
80 }
81 ######################
82
83 Now set this up as a cron task (I run every 15 minutes)
84 Hope this helps...
85 -d
86 --
87 darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
88 "...the number of UNIX installations has grown to 10, with more expected..."
89 - Dennis Ritchie and Ken Thompson, June 1972