Difference between revisions of "Bad-ips.sh"
(→Introduction) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Introduction== | ==Introduction== | ||
| + | |||
| + | Internet hosts are constantly under attack by bots and junk mailers. This script makes use of ''iptables'' to block machines that have behaved suspiciously. | ||
| + | |||
| + | The strategy is simple: Periodically inspect the log files to identify any IP addresses to block. As I'll be looking at the two most recent log files ("*.log" and "*.log.1"), I should solve the midnight problem and also keep my iptables down to a handy size. | ||
| + | |||
| + | ==Targets== | ||
| + | |||
| + | '''Any SMTP MDA that fails SASL authentication'''. This is usually a junk mailer attempting to use default credentials. | ||
| + | |||
| + | '''SSH as root attempts'''. The SSH daemon does not allow 'root' logins. I know this. So does everyone else... except bots probing using a password list. | ||
| + | |||
| + | '''Clients accessing jmx-console'''. Loads of security holes in JMX console, not sure why anyone would ever need it at a public perimeter. The only clients asking for this would be bots. | ||
==Script== | ==Script== | ||
Latest revision as of 07:04, 9 July 2017
Introduction
Internet hosts are constantly under attack by bots and junk mailers. This script makes use of iptables to block machines that have behaved suspiciously.
The strategy is simple: Periodically inspect the log files to identify any IP addresses to block. As I'll be looking at the two most recent log files ("*.log" and "*.log.1"), I should solve the midnight problem and also keep my iptables down to a handy size.
Targets
Any SMTP MDA that fails SASL authentication. This is usually a junk mailer attempting to use default credentials.
SSH as root attempts. The SSH daemon does not allow 'root' logins. I know this. So does everyone else... except bots probing using a password list.
Clients accessing jmx-console. Loads of security holes in JMX console, not sure why anyone would ever need it at a public perimeter. The only clients asking for this would be bots.
Script
#/bin/bash
# IP addresses that have failed SASL login (junk mailers)
grep LOGIN /var/log/mail.log /var/log/mail.log.1 | grep failed | sed -r "s/.*\[([0-9\.]*).*/\1/g" | sort -u
# IP addresses that have tried to access as root (botnets)
grep "Failed password for root" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u
# IP addresses that have looked for pre-infections or weaknesses
grep "jmx-console" /var/log/apache2/*.log /var/log/apache2/*.log.1 | sed "s/.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\) .*$/\1/g" | sort --u
