Bad-ips.sh

From DarkWiki
Revision as of 07:00, 9 July 2017 by Apowney (talk | contribs) (Introduction)
Jump to: navigation, search

Introduction

Internet hosts are constantly under attack by bots and junk mailers. This script makes use of iptables to block machines that have behaved suspiciously.

Any SMTP MDA that fails SASL authentication. This is usually a junk mailer attempting to use default credentials.

SSH as root attempts. The SSH daemon does not allow 'root' logins. I know this. So does everyone else... except bots probing using a password list.

Clients accessing jmx-console. Loads of security holes in JMX console, not sure why anyone would ever need it at a public perimeter. The only clients asking for this would be bots.

Script

#/bin/bash

# IP addresses that have failed SASL login (junk mailers)

grep LOGIN /var/log/mail.log /var/log/mail.log.1 | grep failed | sed -r "s/.*\[([0-9\.]*).*/\1/g" | sort -u

# IP addresses that have tried to access as root (botnets)

grep "Failed password for root" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u

# IP addresses that have looked for pre-infections or weaknesses

grep "jmx-console" /var/log/apache2/*.log /var/log/apache2/*.log.1 | sed "s/.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\) .*$/\1/g" | sort --u
Retrieved from ‘http://wiki.darkmine.org/index.php?title=Bad-ips.sh&oldid=210