Today I got two additional battery units for my UPS systems. They have really extended my UPS coverage time at a pretty high load (between 600 and 700 watts). They also weigh 125 pounds each. Hefting those into the rack was a chore.
Today I built up on my previous IP-banning idea. This time I'm upset that so many people try to crack SSH users and passwords. Where does it end??
Anyway, I wrote a few bits of shell script to make it easier to shut these people down.
First, find out who's failing to log in, preferrably multiple times, but it's up to you:
cat /var/log/secure* | grep "Failed password" | awk '{print $11;}' | sort | nodup | grep "ffff" > ssh.badip
Chances are real good you don't have a program called nodup, because I wrote it. It removes duplicates from sorted lists, only printing one of them. The grep "ffff" part is how I deal with my SSH daemon logging IP addresses. The print $11 awk code is for getting just the IP from the logfile. At the end, the output is redirected to a file.
Next, I wrote a short shell script called iptables.sh that does the work:
#!/bin/bash
for ip in "$@" ; do
/sbin/iptables -A INPUT -s $ip -j DROP
/sbin/iptables -A OUTPUT -s $ip -j DROP
done
Then I just chmod u+x iptables.sh and then run:
./iptables.sh `cat /var/log/ssh.badip`
Voila! Insta-ban badnasty IP addresses at the firewall level!
PS I have since realized that writing my own nodup program is unnecessary, just run sort -u instead.