[Firehol-support] sshd
Ross Smith
fireholspam at netebb.com
Tue Sep 27 19:50:26 BST 2005
I have
blacklist full "`cat /etc/firehol/blacklisted-ips.txt`"
in my firehol.conf file.
Then I run
#!/bin/sh
VALID_USERS=`egrep -v '/bin/[false|sh]' /etc/passwd | cut -d : -f 1 | tr -s "\n" "|" | perl -n -e 'print substr($_,0,-1)'`
BLACKLIST=/etc/firehol/blacklisted-ips.txt
WHITELIST=/etc/firehol/whitelist.txt
for i in /var/log/auth.log*
do
if file $i | grep -q gzip
then
CAT=zcat
else
CAT=cat
fi
$CAT $i |
egrep -v "\b($VALID_USERS)\b" |
perl -n -e '/Failed password for .* from (\S+)/ && print $1,"\n"'
done |
sort |
uniq |
egrep -v -f $WHITELIST |
egrep -v -f $BLACKLIST >>$BLACKLIST
via cron to blacklist all the bad guys.
Obviously, you will need to modify this script for your needs.
-Ross
kick wrote On 9/27/2005 11:32 AM -0800:
> does anyone know if i can block individual ip's easily?
> am getting this in my logcheck
>
> Security Events
> =-=-=-=-=-=-=-=
> Sep 27 02:42:22 irc-firewall-mail sshd[10855]: Illegal user admin from
> ::ffff:81.223.254.204
> Sep 27 02:42:22 irc-firewall-mail sshd[10857]: Illegal user admin from
> ::ffff:81.223.254.204
> thanx in advance :)
>
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
More information about the Firehol-support
mailing list