#!/bin/bash
#
# Log Filter/Firewall Generator
# by Mike Crute (mcrute@gmail.com)
# on November 20, 2009
#
# Script to scrape over logfiles and generate blocked-ip
# list for people abusing machine services. This is designed
# to be run as a cron.
#

BLOCK_FILE=/etc/firewall/blocked-ips

# Purge the block file at the first hour of the first day of the
# month to prevent stale IPs from sitting in the block file.
if (( $(date +%d) == 1 )); then
    if (( $(date +%H) == 0 )); then
        echo > $BLOCK_FILE
    fi
fi

# Filter SSHD Abusers
egrep "sshd\[[0-9]+\]: Failed password for" /var/log/auth.log | \
    egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | \
    awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \
>> $BLOCK_FILE

# Filter FTP Abusers
grep 'FAIL LOGIN: Client' /var/log/vsftpd.log | \
    egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | \
    awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \
>> $BLOCK_FILE

# De-dup the filter file.
cat $BLOCK_FILE | sort -u > $BLOCK_FILE.tmp
mv $BLOCK_FILE.tmp $BLOCK_FILE

# Refresh the firewall
/root/bin/firewall