Deny IP based on failed login requests

Wed Feb 9 19:23:54 UTC 2005

On Wed February 9 2005 10:19 am, Brian Whitehead wrote:
> I'd say a quick shell script that parses the log file for the failed
> attempts and the creates an iptables rule to block the IP.

I actually wrote a little filter to do just that:

login-filter.pl:
=====================
#!/usr/bin/perl -w

use strict;

my $TRIGGER = 5;

sub main {
  my ($line,$ip,$trigger);
  my (%addresses);

  $trigger = ($ARGV[0] || $TRIGGER);

  foreach $line (<STDIN>) {
    if ($line =~ m/(\d+\.\d+\.\d+\.\d+)/) {
      $ip = $1;
      # filter out addreses that are probably legit
      next if ($ip =~ m/^192\.168\./);
      next if ($ip =~ m/216\.117\.196\.95/);

      if (exists $addresses{$ip}) {
    	  $addresses{$ip}++;
      } else {
	      $addresses{$ip} = 1;
      }
    }
  }

  foreach $ip (sort ipsort keys %addresses) {
    print "$ip\n" if ($addresses{$ip} >= $trigger);
  }
}

sub ipsort {
  my ($cntr);	

  my (@aa) = split /\./,$a;
  my (@bb) = split /\./,$b;

  for ($cntr = 0;$cntr < 4;$cntr++) {

	  unless ($aa[$cntr] == $bb[$cntr]) {
      return ($aa[$cntr] <=> $bb[$cntr]);
	  }
  }
  return 0;
}

main();
==================

grep 'Failed passwd' /var/log/messages | login-filter.pl

Getting the addresses into the blacklist I leave as an excercise for the 
student :-)

> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Chris W. Parker
> Sent: Wednesday, February 09, 2005 12:17 PM
> To: General Red Hat Linux discussion list
> Subject: Deny IP based on failed login requests
>
> Hello,
>
> I was unsucsessful with Google while searching for an answer to this
> question so I'm bringing it to the list. I just read a LogWatch email from
> back in Nov that says there were 610 failed attempts from a specific IP
> address while trying to login as root.
>
> What I'd like to know is if it's possible to lock out an IP address after a
> certain number of failed attempts. Say, 10 attempts.
>
>
>
> Thanks,
> Chris.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> This transmission (and any information attached to it) may be confidential
> and is intended solely for the use of the individual or entity to which it
> is addressed. If you are not the intended recipient or the person
> responsible for delivering the transmission to the intended recipient, be
> advised that you have received this transmission in error and that any use,
> dissemination, forwarding, printing, or copying of this information is
> strictly prohibited. If you have received this transmission in error,
> please immediately notify LabOne at the following email address:
> securityincidentreporting at labone.com

-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602