I wrote a very simple shell script to use iptables to block ip addresses that are use various rootkits to try and hack into your box over ssh. I’ve tried, unsuccessfully, to find something on the web that would integrate snort into doing this but no luck. Hence, this simple script which I’ve included into an hourly cron job. If I have the time, I’ll try to make this script a bit more distro independent and smarter. Until then, feel free to grab it.
#!/bin/sh
# Author: Pankaj Jain <pjain001 covad net>
# $Date: 2004/12/08 21:54:28 $
# $Revision: 1.1 $
#
# This is a simple script to parse /var/log/secure for ssh hacking attempts and block the whole subnet
# It might be a little overzealous but so what.
# This particular script is specific to Redhat and Fedora systems but could easily be adapted to other distros.
#
# GPL version 2 applies. No warranties, explicit or implied.
# You are free to modify the script and improve it as long as it is released under the GPL.
# I would also appreciate any changes to the script that you may incorporate.
#
for i in `grep 'Failed password' /var/log/secure | egrep -v 'pankaj|irfan' | awk '{print \$11 \$13}' | cut -d ':' -f 4| cut -d '.' -f 1-3 | uniq`
do
echo "Blocking ${i}.0/24"
/sbin/iptables -I INPUT -s ${i}.0/24 -j DROP
done
# $Log: blocksshhacks.sh,v $
# Revision 1.1 2004/12/08 21:54:28 pankaj
# Initial revision
#