LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Basic shell script question (https://www.linuxquestions.org/questions/linux-newbie-8/basic-shell-script-question-854868/)

moyorakkhi 01-07-2011 01:30 PM
Basic shell script question
 
0 down vote favorite


Hello,

I want to filter and block failed attempt to access my proftp server. Here are few line from the /var/log/secure file:

Quote:
Jan 2 18:38:25 server1 proftpd[17847]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded

Jan 2 18:38:27 server1 proftpd[17864]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - USER admin (Login failed): Incorrect password.

Jan 2 18:38:29 server1 proftpd[17864]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded

Jan 2 18:38:31 server1 proftpd[17874]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - USER admin (Login failed): Incorrect password.

Jan 2 18:38:34 server1 proftpd[17874]: server1.XYZ.com (93.218.93.95[93.218.93.95]) - Maximum login attempts (3) exceeded
There are several lines like this. I would like to block any attempts like this from any IP twice. Here's a script i'm trying to run to block those IPs.

Quote:
#!/bin/sh

# scan /var/log/secure for proftpd attempts
# use iptables to block the bad guys

# Looking for attempts on existing and non-existing users.

tail -1000 /var/log/secure | awk '/proftpd/ && /Maximum login/ { if (/attempts/) try[$7]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
# echo "Subject: denying ip: $ip" | /usr/sbin/sendmail admin@XYZ.com
logger -p authpriv.notice "*** Blocking ProFTPD attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done
how can I select the IP with "awk". with the current script it's selecting "(93.218.93.95[93.218.93.95])" this line completely. But i only want to select the IP so that iptable can drop request from that ip.

Thanks in advance!

szboardstretcher 01-07-2011 02:24 PM
Well, you can use egrep and the -o to only spit out the regex ipaddresses... but in your case, they will be doubled up since there are two identical IP's per line.

Code:
egrep -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'
Also, it doesn't care about "valid" ipaddresses. It will spit out any numbers with 3 seperating periods.

unSpawn 01-07-2011 07:26 PM
Quote:
Originally Posted by moyorakkhi (Post 4216688)
Here's a script i'm trying to run to block those IPs.
Note placing all IP addresses to -j DROP in your INPUT chain isn't that efficient. Since Netfilter works on a first match basis using a separately named chain that filters for valid, new connections to port TCP/22 would be more efficient as there is no need for those packets to traverse other chains or filters and rules would be easier to manage.
All of that can be done automagically with fail2ban. Unless re-inventing the wheel is your thing of course.

moyorakkhi 01-08-2011 06:46 AM
Quote:
Originally Posted by szboardstretcher (Post 4216733)
Well, you can use egrep and the -o to only spit out the regex ipaddresses... but in your case, they will be doubled up since there are two identical IP's per line.

Code:
egrep -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'
Also, it doesn't care about "valid" ipaddresses. It will spit out any numbers with 3 seperating periods.
Thanks for your feedback. Speaking truth, i'm novice to awk and scripting, could you please help me to use the egrep in the script. Can't figure out where to put the line :(

unSpawn 01-08-2011 07:13 AM
Moved: This thread is more suitable in either the Newbie forum (where very basic questions from new members may be found) or the Programming forum (where shell script questions often are found) and has been moved accordingly to help your thread/question get the exposure it deserves. I choose Newbie for you as this this is not a Linux Security issue and you indicate re-inventing the wheel is your thing.

grail 01-08-2011 07:49 AM
Well I would have to say I am a little lost at how your current awk is working seeing as neither $7 or $11 are related to the IP address on any of the lines shown??
However, using the lines given, the following could work:
Code:
awk -F"[][]" '{print $(NF-1)}'
This simply prints the IP for now but I am sure you can change it to what you have to store it instead.

moyorakkhi 01-08-2011 12:40 PM
Thanks a lot grail! The script working fine now. It's blacklisting proftpd failed attempt :) finally it looks like this:

Quote:
#!/bin/sh

# scan /var/log/secure for proftpd attempts
# use iptables to block the bad guys

# Looking for attempts on existing and non-existing users.

tail -1000 /var/log/secure | awk '/proftpd/ && /Maximum login attempts/' | awk -F "[][]" '{print $(NF-1)}' |
while read ip
do
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
# echo "Subject: denying ip: $ip" | /usr/sbin/sendmail pager@XYZ.com
logger -p authpriv.notice "*** Blocking ProFTPD attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done

grail 01-09-2011 05:04 AM
Glad you got it working. I would mention that the grep has a -q option which you could use to save the redirect to null.
Also, if you use bash (it may work in sh but not sure) you can simply place the line at if like so:
Code:
if /sbin/iptables -L -n | grep -q $ip; then

moyorakkhi 01-09-2011 12:09 PM
Thanks man! that worked :)

grail 01-09-2011 07:26 PM
Cool ;) Don't forget to mark as SOLVED once you have a solution.


All times are GMT -5. The time now is 11:58 PM.