-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathblockSshByIP.sh
executable file
·138 lines (118 loc) · 4.56 KB
/
blockSshByIP.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/bin/bash
#
# To be run from cron as root:
# */2 * * * * root PATH_TO_SCRIPT/blockSshByIP.sh
# Set this variable for the number of failed attempts from an ip
myName=$(basename $0 .sh)
mailBody=$(mktemp /tmp/$myName.mailBody.XXXXXX)
mailLine=$(mktemp /tmp/$myName.mailLine.XXXXXX)
globalIgnore="79.99.3.198 130.237.168.229 92.244.30.210 130.237.95.227"
date=$(date +'%Y-%m-%dT%H:%M:%S')
# Test remove
# Source conffile if exists, else use defaults
if [ ! -f /etc/${myName}.conf ]; then
db "/etc/${myName}.conf dose not exists, write default conf"
cat << EOF > /etc/${myName}.conf
mailto=""
saveFile="/var/${myName}.save"
ignoreFile="/var/${myName}.ignore"
maxAttempts="3"
logfile="/var/log/auth.log"
EOF
if [ $? -ne "0" ]; then
echo "Could not write /etc/${myName}.conf"
exit 1
fi
fi
source /etc/${myName}.conf
# block ip, read lines with number of attempts and ipadress. Also takes argumenst of comment.
blockIp() {
while read line
do
db "blockIp() was called with: argument: $* line: $line"
attempts=$(echo $line | awk '{print $1}')
ip=$(echo $line | awk '{print $2}')
MESS="$*"
# Check if $ip is an ip
echo $ip | egrep -q '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
if [ $? -eq 0 ]; then
db "$ip is an ip"
else
db "$ip is not an ip"
ip=$(host $ip | awk '{print $4}' | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
db "Done hosting, ip: $ip"
if [ "$ip" = "found:" ]; then
echo "Could not host ip from: $line"
continue
fi
if [ X"$ip" = X"" ]; then
echo "Could not host $IP, is empty. From: $line"
continue
fi
fi
db "Check global ignorelist"
echo $globalIgnore | grep -q $ip
if [ $? -eq 0 ]; then
db "Found $ip in global ignorelist"
continue
else
db "$IP not in global ignorelist"
fi
db "Check local ignorefile"
if [ -f $ignoreFile ];then
grep -q $ip $ignoreFile
if [ $? -eq 0 ]; then
db "Found $ip in local ignoreFile"
continue
else
db "$IP not in local ignorefile"
fi
else
db "No local ignorefile"
fi
if [ $attempts -ge $maxAttempts ]; then
db "Check if $ip is already blocked..."
/sbin/iptables -L -n | grep -q " $ip "
if [ $? -eq 0 ]; then
db "Already denied ip: [$ip]"
else
db "Blocking $ip"
logger -p authpriv.notice "*** Blocked SSH attempt from: $ip"
cmd="/sbin/iptables -A INPUT -s $ip -p tcp --dport 22 -j DROP"
eval $cmd
if [ $? -eq 0 ]; then
if [ ! -z $saveFile ]; then
echo "$cmd # $date $MESS">> $saveFile
fi
if [ ! -z $mailto ]; then
echo "$cmd # $date $MESS">> $mailBody
fi
if [ ! -z $mailLine ]; then
grep $ip $mailLine >> $mailBody
fi
fi
fi
fi
done
}
grep 'Invalid user' $logfile | cut -d\ -f6- | sort --key=5 -n | tee -a $mailLine | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | uniq -c | blockIp "Invalid user"
# grep 'Invalid user' $logfile | awk '{print $10}' |sort | uniq -c | blockIp "Invalid user"
grep 'Failed password for invalid user' $logfile | cut -d\ -f6-13 | sort --key=8 -n | tee -a $mailLine | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | uniq -c | blockIp "Failed password for invalid user"
# grep 'Failed password for invalid user' $logfile | awk '{print $13}' |sort | uniq -c | blockIp "Failed password for"
grep 'Failed password for' $logfile | grep -v 'invalid' | cut -d\ -f6-11 | sort --key=6 -n | tee -a $mailLine | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | uniq -c | blockIp "Failed password for valid user"
# grep 'Failed password for' $logfile | grep -v 'invalid' |awk '{print $11}' |sort | uniq -c | blockIp "Failed password for valid user"
grep 'not listed in AllowUsers' $logfile | cut -d\ -f6- | sort --key=4 -n | tee -a $mailLine | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | uniq -c | blockIp "Not listed in AllowUsers"
# grep 'not listed in AllowUsers' $logfile | awk '{print $9}' |sort | uniq -c | blockIp "Not listed in AllowUsers"
grep 'reverse mapping checking getaddrinfo for' $logfile | cut -d\ -f6-13 | sort --key=7 -n | tee -a $mailLine | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | uniq -c | blockIp "Reverse mapping checking getaddrinfo"
# grep 'reverse mapping checking getaddrinfo for' $logfile | awk -F '[' '{print $3}' |awk -F ']' '{print $1}' |sort | uniq -c | blockIp "Reverse mapping checking getaddrinfo"
if [ ! -z $mailto ];then
if [ $(wc -l $mailBody | awk '{print $1}') -gt 0 ];then
cat $mailBody | mail -s "$myName newly blocked addresses" $mailto
fi
fi
if [ -f $mailBody ];then
rm $mailBody
fi
if [ -f $mailLine ];then
rm $mailLine
fi