> Is there a script that reads the auth file, looks for lines like
> Failed password for admin from 62.193.235.117
> and ten places that IP in hosts.deny ?
This might be a bit dangerous, what if you accidentally make a typo when logging
in, you will end up getting blocked yourself!
> I could review the file and manually add the IPs,
> but I'd rather have an automatic function.
How about the following script which you can run from cron as often as you like
(must be run as root)...
--- CUT FROM HERE ---
#!/bin/sh
TMPFILE1=`mktemp /tmp/badip1.XXXXXX` || exit 1
TMPFILE2=`mktemp /tmp/badip2.XXXXXX` || exit 1
grep "Invalid user" /var/log/auth | awk '{ print $10 }' >> ${TMPFILE1}
grep "Failed password" /var/log/auth | grep -v "invalid user" \
| awk '{ print $11 }' >> ${TMPFILE1}
cat ${TMPFILE1} | sort | uniq > ${TMPFILE2}
cat /dev/null > ${TMPFILE1}
for IPS in $(cat ${TMPFILE2})
do
if ! grep ${IPS} /etc/hosts.deny > /dev/null
then
HOST=`host ${IPS} 2> /dev/null | awk '{ print $5 }'`
echo "${IPS} (${HOST})"
fi
done >> ${TMPFILE1}
if [ -s ${TMPFILE1} ]
then
echo "Look at adding the following IP addresses to /etc/hosts.deny"
echo "Add them by adding the line \"ALL : ip.add.re.ss\""
echo ""
cat ${TMPFILE1}
fi
--- CUT TO HERE ---
It will output any IP's that have been logged as trying an invalid user or
failed password and where the IP does not already exist in /etc/hosts.deny
It's not pretty, in fact I'll re-write it in Perl with some better error
checking when I have a moment.
Dan
--
Personal : http://www.dogsbody.org/
Hosting : http://www.dogsbodyhosting.net/
_______________________________________________
Cobaltfacts site list
[email protected]
http://list.cobaltfacts.com/mailman/listinfo.cgi/cobaltfacts
