Bad-ips.sh

From DarkWiki
Revision as of 07:04, 9 July 2017 by Apowney (talk | contribs) (Introduction)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduction

Internet hosts are constantly under attack by bots and junk mailers. This script makes use of iptables to block machines that have behaved suspiciously.

The strategy is simple: Periodically inspect the log files to identify any IP addresses to block. As I'll be looking at the two most recent log files ("*.log" and "*.log.1"), I should solve the midnight problem and also keep my iptables down to a handy size.

Targets

Any SMTP MDA that fails SASL authentication. This is usually a junk mailer attempting to use default credentials.

SSH as root attempts. The SSH daemon does not allow 'root' logins. I know this. So does everyone else... except bots probing using a password list.

Clients accessing jmx-console. Loads of security holes in JMX console, not sure why anyone would ever need it at a public perimeter. The only clients asking for this would be bots.

Script

#/bin/bash

# IP addresses that have failed SASL login (junk mailers)

grep LOGIN /var/log/mail.log /var/log/mail.log.1 | grep failed | sed -r "s/.*\[([0-9\.]*).*/\1/g" | sort -u

# IP addresses that have tried to access as root (botnets)

grep "Failed password for root" /var/log/auth.log /var/log/auth.log.1 | sed "s/.*from.\([0-9\.]*\).*$/\1/g" | sort --u

# IP addresses that have looked for pre-infections or weaknesses

grep "jmx-console" /var/log/apache2/*.log /var/log/apache2/*.log.1 | sed "s/.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\) .*$/\1/g" | sort --u
Retrieved from ‘http://wiki.darkmine.org/index.php?title=Bad-ips.sh&oldid=211