[nycbug-talk] Auto add bad ip's

[steverieger]

Somebody this past week asked (not on this list) if its possible to
automatically add bad ips to the /etc/hosts.deny file, this here adds the
bad ips to the actual firewall, feel free to modify as needed,

!/bin/bash
# check for hack attempts and email alerts if seen
searchdate=`date +'%b %e'`
searchtime=`date +'%r'`
tail -n 100 /var/log/secure > /tmp/output.txt
grep "Failed password" /tmp/output.txt > /tmp/faillogin
if [ $? = 0 ]
        then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
        for i in `cat /tmp/awkip.txt`
        do
                iptables -A INPUT -s $i/32 -j DROP
        done
        mail someone at somewhere.com -s "Failed login via SSH on
$searchdate at $searchtime" < /tmp/faillogin
Fi


I also saw someplace that one can configure swatch to do this, but I have no
further info.