[Firehol-support] sshd

Ross Smith fireholspam at netebb.com
Tue Sep 27 20:50:26 CEST 2005


I have

blacklist full "`cat /etc/firehol/blacklisted-ips.txt`"

in my firehol.conf file.

Then I run

#!/bin/sh

VALID_USERS=`egrep -v '/bin/[false|sh]' /etc/passwd | cut -d : -f 1 | tr -s "\n" "|" | perl -n -e 'print substr($_,0,-1)'`
BLACKLIST=/etc/firehol/blacklisted-ips.txt
WHITELIST=/etc/firehol/whitelist.txt

for i in /var/log/auth.log*
do
        if file $i | grep -q gzip
        then
                CAT=zcat
        else
                CAT=cat
        fi

        $CAT $i |
        egrep -v "\b($VALID_USERS)\b" |
        perl -n -e '/Failed password for .* from (\S+)/ && print $1,"\n"'
done |
sort |
uniq |
egrep -v -f $WHITELIST |
egrep -v -f $BLACKLIST >>$BLACKLIST

via cron to blacklist all the bad guys.

Obviously, you will need to modify this script for your needs.

-Ross

kick wrote On 9/27/2005 11:32 AM -0800:
> does anyone know if i can block individual ip's easily?
> am getting this in my logcheck
> 
> Security Events
> =-=-=-=-=-=-=-=
> Sep 27 02:42:22 irc-firewall-mail sshd[10855]: Illegal user admin from
> ::ffff:81.223.254.204
> Sep 27 02:42:22 irc-firewall-mail sshd[10857]: Illegal user admin from
> ::ffff:81.223.254.204
> thanx in advance :)
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support




More information about the Firehol-support mailing list