Lockout-Script
Diese kleine Ding hier check die Loginversuche und sperrt die Scriptkiddies oder andere pentertanten Loginversucher aus :-)
#!/bin/bash
#
# This script should check and count the wrong login-attemps and block those script-kiddies
#
# 03.11.2009 - first draft - stjakl
# 11.11.2009 - fixed that not all ip's where taken - stjakl
# 19.11.2009 - added a whitelist - stjakl
LOGFILE="/var/log/secure"
HOST_DENY="/etc/hosts.deny"
#HOST_DENY="/var/tmp/tmpfile5"
WHITE_LIST="/etc/hosts_deny.whitelist"
TMPFILE1="/var/tmp/tmpfile1"
TMPFILE2="/var/tmp/tmpfile2"
TMPFILE3="/var/tmp/tmpfile3"
TMPFILE4="/var/tmp/tmpfile4"
HEADFILE="/var/tmp/headfile1"
FIX_PATTERN="192.168.1.1"
#
# CLEANUP
#
cleanup() {
if [ -e $TMPFILE1 ]; then
rm $TMPFILE1
fi
if [ -e $TMPFILE2 ]; then
rm $TMPFILE2
fi
if [ -e $TMPFILE3 ]; then
rm $TMPFILE3
fi
if [ -e $TMPFILE4 ]; then
rm $TMPFILE4
fi
if [ -e $HEADFILE ]; then
rm $HEADFILE
fi
}
#
# Small Backup-Rotation
#
if [ -f $HOST_DENY ]; then
cp ${HOST_DENY} /root/backup/hosts.deny_`date +%d_%m_%Y_%H_%M`
fi
#
# Here we go :
#
cleanup
# Fetch IP's to block
cat ${LOGFILE} | grep "Failed password for" | awk '{ print $13 }'| sort | uniq -c >> ${TMPFILE1}
# Cleanout hosts.deny
head -9 ${HOST_DENY} >> ${HEADFILE}
cat ${HOST_DENY} | sed '1,9d;$d' >> ${TMPFILE2}
# count logintries and if more than 3 -- block ip
OLD_IFS=$IFS
IFS='
'
for row in `cat ${TMPFILE1}` ;
do
IFS=" "
set $row
LOGCOUNT=$1
IP_INVADER=$2
if [ ${LOGCOUNT} -ge "4" ]; then
echo ${IP_INVADER} >> ${TMPFILE3}
fi
done
IFS=$OLD_IFS
###################
# fix the end of the lines
cat ${TMPFILE3} | sed 's/$/, \\/g' >> ${TMPFILE2}
cat ${TMPFILE2} | sort | uniq > ${TMPFILE3}
# keep the latest file for mailing
cat ${TMPFILE3} >> /root/backup/NEW_ADDED_IP_LIST
# Put all together again
cat ${HEADFILE} > ${HOST_DENY} && cat ${TMPFILE3} >> ${HOST_DENY}
# Fix the last line
echo ${FIX_PATTERN} >> ${HOST_DENY}
# change owner
chown root:root ${HOST_DENY}
cleanup
##########################
#
# Start again with an new search-pattern
#
##########################
#
# Small Backup-Rotation
#
if [ -f $HOST_DENY ]; then
cp ${HOST_DENY} /root/backup/hosts.deny_`date +%d_%m_%Y_%H_%M`
fi
#
# Here we go :
#
cleanup
# Fetch IP's to block
cat ${LOGFILE} | grep "Failed password for root from" | awk '{ print $11 }'| sort | uniq -c >> ${TMPFILE1}
# Cleanout hosts.deny
head -9 ${HOST_DENY} >> ${HEADFILE}
cat ${HOST_DENY} | sed '1,9d;$d' >> ${TMPFILE2}
# count logintries and if more than 3 -- block ip
OLD_IFS=$IFS
IFS='
'
for row in `cat ${TMPFILE1}` ;
do
IFS=" "
set $row
LOGCOUNT=$1
IP_INVADER=$2
if [ ${LOGCOUNT} -ge "4" ]; then
echo ${IP_INVADER} >> ${TMPFILE3}
fi
done
IFS=$OLD_IFS
###################
# fix the end of the lines
cat ${TMPFILE3} | sed 's/$/, \\/g' >> ${TMPFILE2}
cat ${TMPFILE2} | sort | uniq > ${TMPFILE3}
# keep the latest file for mailing
cat ${TMPFILE3} >> /root/backup/NEW_ADDED_IP_LIST
# Put all together again
cat ${HEADFILE} > ${HOST_DENY} && cat ${TMPFILE3} >> ${HOST_DENY}
# Fix the last line
echo ${FIX_PATTERN} >> ${HOST_DENY}
# change owner
chown root:root ${HOST_DENY}
cleanup
##########################
# use whitelist
##########################
## Cleanout hosts.deny
head -9 ${HOST_DENY} >> ${HEADFILE}
cat ${HOST_DENY} | sed '1,9d;$d' >> ${TMPFILE2}
cat ${TMPFILE2} | awk '{print $1}' | sed 's/,//' >> ${TMPFILE3}
# start delete the whitelist-ip's
for white_ip in `cat ${WHITE_LIST}` ; do
cat ${TMPFILE3}| sed "/${white_ip}/d" > ${TMPFILE4}
cp ${TMPFILE4} ${TMPFILE3}
done
# put all together again
# fix the end of the lines
cat ${TMPFILE3} | sed 's/$/, \\/g' >> ${TMPFILE1}
cat ${TMPFILE1} | sort | uniq > ${TMPFILE3}
# put all together again
cat ${HEADFILE} > ${HOST_DENY} && cat ${TMPFILE3} >> ${HOST_DENY}
# Fix the first line
echo ${FIX_PATTERN} >> ${HOST_DENY}
# change owner
chown root:root ${HOST_DENY}
cleanup