1 |
quoth the Jeremy Brake: |
2 |
> Hey all, |
3 |
> |
4 |
> I'm looking for an app/script which can monitor for failed ssh logins, |
5 |
> and block using IPTables for $time after $number of failed logins (an |
6 |
> exclusion list would be handy as well) so that I can put a quick stop to |
7 |
> these niggly brute-force ssh "attacks" I seem to be getting more and |
8 |
> more often. |
9 |
> |
10 |
> Anyone have any ideas? |
11 |
> |
12 |
> Thanks, Jeremy B |
13 |
|
14 |
Here is a perl script I wrote to scan my exim and apache logs for miscreants |
15 |
to ban. It doesn't support $time or $number of login attempts, because I |
16 |
don't allow 'three strikes', one dumb move and your banned. The length of the |
17 |
ban lasts until the iptables rules are flushed and reloaded, which you can |
18 |
either script, or do manually. |
19 |
|
20 |
Anyway, I've commented the lines you need to change for your specific purpose, |
21 |
and my script checks 3 logfiles where you will probably only need one, so |
22 |
I've edited it as such. Hopefully you can edit this to your purpose else, |
23 |
just give you some ideas of where to start. This script does assume that |
24 |
iptables has a user-defined chain 'banned' with a policy of 'DROP'.... |
25 |
|
26 |
######################### |
27 |
#!/usr/bin/perl -w |
28 |
|
29 |
open ALOG, "/var/log/apache2/error_log"; # change this to your logfile |
30 |
|
31 |
chomp(@alines = <ALOG>); |
32 |
foreach $aline (@alines) { |
33 |
if ($aline =~ m/URI too long/) { # change 'URI too long' to the pattern |
34 |
@aip = split / /, $aline; # you want to match in your log |
35 |
my $aip = "$aip[7]\n"; # <-- you may have to edit this |
36 |
$aip =~ s/[\]]//; # line to match format of your |
37 |
push(@arbl, $aip); # logs |
38 |
} |
39 |
} |
40 |
|
41 |
close ALOG; |
42 |
@arbl = sort @arbl; |
43 |
|
44 |
# just like unix uniq |
45 |
%seen = (); |
46 |
foreach $item (@arbl) { |
47 |
push(@arbls, $item) unless $seen{$item}++; |
48 |
} |
49 |
|
50 |
# grab already banned ip addresses. |
51 |
foreach $rule (`iptables -L banned -n`) { |
52 |
chomp($rule); |
53 |
if ($rule =~ m/[0-255]\.[0-255]\.[0-255]\.[0-255]/) { |
54 |
$rule =~ s/\s+/ /g; |
55 |
@_ = split / /, $rule; |
56 |
push (@banned, $_[3]); |
57 |
} |
58 |
} |
59 |
|
60 |
$i = 0; |
61 |
$already_banned = 0; |
62 |
|
63 |
foreach $bl (@arbls) { |
64 |
chomp($bl); |
65 |
foreach $ip (@banned) { |
66 |
if ($bl eq $ip) { |
67 |
$already_banned = 1; |
68 |
delete $arbls[$i]; |
69 |
} |
70 |
} |
71 |
if (!$already_banned) { |
72 |
print "banning $bl\n"; |
73 |
system "iptables -A banned -s $bl -j DROP"; |
74 |
} |
75 |
else { |
76 |
$already_banned = 0; |
77 |
print "$bl\t already banned\n"; |
78 |
} |
79 |
$i++; |
80 |
} |
81 |
###################### |
82 |
|
83 |
Now set this up as a cron task (I run every 15 minutes) |
84 |
Hope this helps... |
85 |
-d |
86 |
-- |
87 |
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org |
88 |
"...the number of UNIX installations has grown to 10, with more expected..." |
89 |
- Dennis Ritchie and Ken Thompson, June 1972 |