[Shorewall-users] Shorewall drop issue?

Wed, 23 Apr 2008 03:14:02 -0700 

Good Morning

I have a shorewall box running successfully, and have done for a few years,
but recently I have noticed that the dynamic script I wrote is not working
correctly.

The issue is basically if the scan through the logs finds FQDNs with hyphens
in them the shorewall drop does not drop the address, it splits the address up
using the hyphen as a demark.  If I do a host lookup in the script then the
ones that are in the log files as a quad dotted address resolve differently,
so a host $i | grep "has address" | awk '{ print $4}' doesn't work properly...

The script is shown below, any ideas?  Basically I need to drop any connection
attempts shown as authentication failures, am I trying to re-invent the wheel?

Phil

#!/bin/bash

for i in `cat /var/log/secure | grep "authentication failure" | awk '{print
$14}'| sort | uniq | grep -v "tty=ssh" |grep -v bigblue | grep -v btopenworld|
grep -v 81.130| grep -v 212.56.68.42| grep -v 192.168.31.|grep -v
212.219.9.79| grep -v mi079.maninv.com | grep -v uk.ibm.com | grep -v
195.212.29.67 | grep -v 213.249.129.100 | sed s/rhost\=//g`; do
        /sbin/shorewall drop $i>/dev/null;
done
for k in ` cat /var/log/secure | grep illegal | grep port | awk '{print $13}'
| sort | uniq`; do
        /sbin/shorewall drop `host $k |  grep -v "not found" |awk '{print
$4}'` >/dev/null;
done
#for j in `cat /var/log/messages | grep lame | awk '{print $12}'| grep -v
192\.168\.31 | grep -v 212.56.68.42| grep -v 212.219.9.79| sed s/\#53//g`; do
#       /sbin/shorewall drop $j >/dev/null;
#done

for l in `cat /var/log/httpd/access_log | grep .dll| awk '{print $1}'`; do
         /sbin/shorewall drop `host $l |  grep -v "not found"|awk '{print
$4}'`>/dev/null;
done


--
Phil Foxton RHCE


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to