blob: 5c47a48706f3d1846c59c801c043dc85a9c4ea23 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
#!/bin/bash
#
# Log Filter/Firewall Generator
# by Mike Crute (mcrute@gmail.com)
# on November 20, 2009
#
# Script to scrape over logfiles and generate blocked-ip
# list for people abusing machine services. This is designed
# to be run as a cron.
#
BLOCK_FILE=/etc/firewall/blocked-ips
# Purge the block file at the first hour of the first day of the
# month to prevent stale IPs from sitting in the block file.
if (( $(date +%d) == 1 )); then
if (( $(date +%H) == 0 )); then
echo > $BLOCK_FILE
fi
fi
# Filter SSHD Abusers
egrep "sshd\[[0-9]+\]: Failed password for" /var/log/auth.log | \
egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | \
awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \
>> $BLOCK_FILE
# Filter FTP Abusers
grep 'FAIL LOGIN: Client' /var/log/vsftpd.log | \
egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | \
awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 10) { print i }}}' \
>> $BLOCK_FILE
# De-dup the filter file.
cat $BLOCK_FILE | sort -u > $BLOCK_FILE.tmp
mv $BLOCK_FILE.tmp $BLOCK_FILE
# Refresh the firewall
/root/bin/firewall
|
