LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-07-2011, 02:30 PM   #1
moyorakkhi
Member
 
Registered: Jan 2011
Location: Dhaka
Posts: 80

Rep: Reputation: 1
Basic shell script question


0 down vote favorite


Hello,

I want to filter and block failed attempt to access my proftp server. Here are few line from the /var/log/secure file:

Quote:
Jan 2 18:38:25 server1 proftpd[17847]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded

Jan 2 18:38:27 server1 proftpd[17864]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - USER admin (Login failed): Incorrect password.

Jan 2 18:38:29 server1 proftpd[17864]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded

Jan 2 18:38:31 server1 proftpd[17874]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - USER admin (Login failed): Incorrect password.

Jan 2 18:38:34 server1 proftpd[17874]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded
There are several lines like this. I would like to block any attempts like this from any IP twice. Here's a script i'm trying to run to block those IPs.

Quote:
#!/bin/sh

# scan /var/log/secure for proftpd attempts
# use iptables to block the bad guys

# Looking for attempts on existing and non-existing users.

tail -1000 /var/log/secure | awk '/proftpd/ && /Maximum login/ { if (/attempts/) try[$7]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
# echo "Subject: denying ip: $ip" | /usr/sbin/sendmail admin@XYZ.com
logger -p authpriv.notice "*** Blocking ProFTPD attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done
how can I select the IP with "awk". with the current script it's selecting "(93.218.93.95[93.218.93.95])" this line completely. But i only want to select the IP so that iptable can drop request from that ip.

Thanks in advance!
 
Old 01-07-2011, 03:24 PM   #2
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,774
Blog Entries: 1

Rep: Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339Reputation: 1339
Well, you can use egrep and the -o to only spit out the regex ipaddresses... but in your case, they will be doubled up since there are two identical IP's per line.

Code:
egrep -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'
Also, it doesn't care about "valid" ipaddresses. It will spit out any numbers with 3 seperating periods.

Last edited by szboardstretcher; 01-07-2011 at 03:25 PM.
 
1 members found this post helpful.
Old 01-07-2011, 08:26 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by moyorakkhi View Post
Here's a script i'm trying to run to block those IPs.
Note placing all IP addresses to -j DROP in your INPUT chain isn't that efficient. Since Netfilter works on a first match basis using a separately named chain that filters for valid, new connections to port TCP/22 would be more efficient as there is no need for those packets to traverse other chains or filters and rules would be easier to manage.
All of that can be done automagically with fail2ban. Unless re-inventing the wheel is your thing of course.
 
1 members found this post helpful.
Old 01-08-2011, 07:46 AM   #4
moyorakkhi
Member
 
Registered: Jan 2011
Location: Dhaka
Posts: 80

Original Poster
Rep: Reputation: 1
Unhappy

Quote:
Originally Posted by szboardstretcher View Post
Well, you can use egrep and the -o to only spit out the regex ipaddresses... but in your case, they will be doubled up since there are two identical IP's per line.

Code:
egrep -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'
Also, it doesn't care about "valid" ipaddresses. It will spit out any numbers with 3 seperating periods.
Thanks for your feedback. Speaking truth, i'm novice to awk and scripting, could you please help me to use the egrep in the script. Can't figure out where to put the line
 
Old 01-08-2011, 08:13 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Moved: This thread is more suitable in either the Newbie forum (where very basic questions from new members may be found) or the Programming forum (where shell script questions often are found) and has been moved accordingly to help your thread/question get the exposure it deserves. I choose Newbie for you as this this is not a Linux Security issue and you indicate re-inventing the wheel is your thing.
 
1 members found this post helpful.
Old 01-08-2011, 08:49 AM   #6
grail
LQ Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 9,250

Rep: Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684
Well I would have to say I am a little lost at how your current awk is working seeing as neither $7 or $11 are related to the IP address on any of the lines shown??
However, using the lines given, the following could work:
Code:
awk -F"[][]" '{print $(NF-1)}'
This simply prints the IP for now but I am sure you can change it to what you have to store it instead.
 
1 members found this post helpful.
Old 01-08-2011, 01:40 PM   #7
moyorakkhi
Member
 
Registered: Jan 2011
Location: Dhaka
Posts: 80

Original Poster
Rep: Reputation: 1
Thanks a lot grail! The script working fine now. It's blacklisting proftpd failed attempt finally it looks like this:

Quote:
#!/bin/sh

# scan /var/log/secure for proftpd attempts
# use iptables to block the bad guys

# Looking for attempts on existing and non-existing users.

tail -1000 /var/log/secure | awk '/proftpd/ && /Maximum login attempts/' | awk -F "[][]" '{print $(NF-1)}' |
while read ip
do
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
# echo "Subject: denying ip: $ip" | /usr/sbin/sendmail pager@XYZ.com
logger -p authpriv.notice "*** Blocking ProFTPD attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done
 
Old 01-09-2011, 06:04 AM   #8
grail
LQ Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 9,250

Rep: Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684
Glad you got it working. I would mention that the grep has a -q option which you could use to save the redirect to null.
Also, if you use bash (it may work in sh but not sure) you can simply place the line at if like so:
Code:
if /sbin/iptables -L -n | grep -q $ip; then
 
1 members found this post helpful.
Old 01-09-2011, 01:09 PM   #9
moyorakkhi
Member
 
Registered: Jan 2011
Location: Dhaka
Posts: 80

Original Poster
Rep: Reputation: 1
Thanks man! that worked
 
Old 01-09-2011, 08:26 PM   #10
grail
LQ Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 9,250

Rep: Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684Reputation: 2684
Cool Don't forget to mark as SOLVED once you have a solution.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need some help with a basic shell script trist007 Programming 6 07-22-2008 10:22 AM
Very basic shell script question..... redhatpenguin Programming 2 09-09-2007 08:42 PM
basic shell script help lin00b Linux - Newbie 2 10-09-2004 12:32 AM
Basic shell script, please help colly Linux - General 4 10-05-2004 12:24 PM
basic shell script help coyote399 Linux - Newbie 6 04-14-2004 10:22 PM


All times are GMT -5. The time now is 06:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration