quoth the Jeremy Brake: > Hey all, > > I'm looking for an app/script which can monitor for failed ssh logins, > and block using IPTables for $time after $number of failed logins (an > exclusion list would be handy as well) so that I can put a quick stop to > these niggly brute-force ssh "attacks" I seem to be getting more and > more often. > > Anyone have any ideas? > > Thanks, Jeremy B
Here is a perl script I wrote to scan my exim and apache logs for miscreants
to ban. It doesn't support $time or $number of login attempts, because I
don't allow 'three strikes', one dumb move and your banned. The length of the
ban lasts until the iptables rules are flushed and reloaded, which you can
either script, or do manually.
Anyway, I've commented the lines you need to change for your specific purpose,
and my script checks 3 logfiles where you will probably only need one, so
I've edited it as such. Hopefully you can edit this to your purpose else,
just give you some ideas of where to start. This script does assume that
iptables has a user-defined chain 'banned' with a policy of 'DROP'....
#########################
#!/usr/bin/perl -w
open ALOG, "/var/log/apache2/error_log"; # change this to your logfile
chomp(@alines = <ALOG>);
foreach $aline (@alines) {
if ($aline =~ m/URI too long/) { # change 'URI too long' to the pattern
@aip = split / /, $aline; # you want to match in your log
my $aip = "$aip[7]\n"; # <-- you may have to edit this
$aip =~ s/[\]]//; # line to match format of your
push(@arbl, $aip); # logs
}
}
close ALOG;
@arbl = sort @arbl;
# just like unix uniq
%seen = ();
foreach $item (@arbl) {
push(@arbls, $item) unless $seen{$item}++;
}
# grab already banned ip addresses.
foreach $rule (`iptables -L banned -n`) {
chomp($rule);
if ($rule =~ m/[0-255]\.[0-255]\.[0-255]\.[0-255]/) {
$rule =~ s/\s+/ /g;
@_ = split / /, $rule;
push (@banned, $_[3]);
}
}
$i = 0;
$already_banned = 0;
foreach $bl (@arbls) {
chomp($bl);
foreach $ip (@banned) {
if ($bl eq $ip) {
$already_banned = 1;
delete $arbls[$i];
}
}
if (!$already_banned) {
print "banning $bl\n";
system "iptables -A banned -s $bl -j DROP";
}
else {
$already_banned = 0;
print "$bl\t already banned\n";
}
$i++;
}
######################
Now set this up as a cron task (I run every 15 minutes)
Hope this helps...
-d
--
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972
pgpScoiW8kZIt.pgp
Description: PGP signature
