Deny IP based on failed login requests
Stephen Carville
stephen at totalflood.com
Wed Feb 9 19:23:54 UTC 2005
On Wed February 9 2005 10:19 am, Brian Whitehead wrote:
> I'd say a quick shell script that parses the log file for the failed
> attempts and the creates an iptables rule to block the IP.
I actually wrote a little filter to do just that:
login-filter.pl:
=====================
#!/usr/bin/perl -w
use strict;
my $TRIGGER = 5;
sub main {
my ($line,$ip,$trigger);
my (%addresses);
$trigger = ($ARGV[0] || $TRIGGER);
foreach $line (<STDIN>) {
if ($line =~ m/(\d+\.\d+\.\d+\.\d+)/) {
$ip = $1;
# filter out addreses that are probably legit
next if ($ip =~ m/^192\.168\./);
next if ($ip =~ m/216\.117\.196\.95/);
if (exists $addresses{$ip}) {
$addresses{$ip}++;
} else {
$addresses{$ip} = 1;
}
}
}
foreach $ip (sort ipsort keys %addresses) {
print "$ip\n" if ($addresses{$ip} >= $trigger);
}
}
sub ipsort {
my ($cntr);
my (@aa) = split /\./,$a;
my (@bb) = split /\./,$b;
for ($cntr = 0;$cntr < 4;$cntr++) {
unless ($aa[$cntr] == $bb[$cntr]) {
return ($aa[$cntr] <=> $bb[$cntr]);
}
}
return 0;
}
main();
==================
grep 'Failed passwd' /var/log/messages | login-filter.pl
Getting the addresses into the blacklist I leave as an excercise for the
student :-)
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Chris W. Parker
> Sent: Wednesday, February 09, 2005 12:17 PM
> To: General Red Hat Linux discussion list
> Subject: Deny IP based on failed login requests
>
> Hello,
>
> I was unsucsessful with Google while searching for an answer to this
> question so I'm bringing it to the list. I just read a LogWatch email from
> back in Nov that says there were 610 failed attempts from a specific IP
> address while trying to login as root.
>
> What I'd like to know is if it's possible to lock out an IP address after a
> certain number of failed attempts. Say, 10 attempts.
>
>
>
> Thanks,
> Chris.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> This transmission (and any information attached to it) may be confidential
> and is intended solely for the use of the individual or entity to which it
> is addressed. If you are not the intended recipient or the person
> responsible for delivering the transmission to the intended recipient, be
> advised that you have received this transmission in error and that any use,
> dissemination, forwarding, printing, or copying of this information is
> strictly prohibited. If you have received this transmission in error,
> please immediately notify LabOne at the following email address:
> securityincidentreporting at labone.com
--
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602
More information about the redhat-list
mailing list