#!/bin/bash # generate a list of ips worth blocking, by searching /var/log/secure for: # 1) "Invalid user" # 2) "preauth" # 3) "Did not receive identification string from" # and block them via iptables (because fail2ban SUCKS! (it is too complicated and fails often to generate iptables rules, also not compatible with newer nftables) # reset of iptables will be done via /scripts/reset.sh every 3 days (crontab) # empty file echo "" > /var/log/secure_invalid_preauth.log # download exim failed login attempts # rsync -r -v --progress -e "ssh -i /home/user/.ssh/id_rsa" user@192.168.56.XXX:/var/log/exim_failed_logins.log /var/log # filter out according to patterns and save to /var/log/secure_invalid_preauth.log cat /var/log/secure | grep -e "Invalid user" -e "preauth" -e "Did not receive identification string from" > /var/log/secure_invalid_preauth.log # cat /var/log/messages | grep -e "SRC" > /var/log/secure_bad_packages.log # prepare ip extraction patterns octet='\<(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?)\>' ip="$octet\\.$octet\\.$octet\\.$octet" # extract ips and filter duplicates ( sort | uniq ) grep -Eo "$ip" /var/log/secure_invalid_preauth.log | paste - | sort | uniq > /var/log/secure_invalid_preauth.log2 # add ips from failed exim logins downloaded from webserver dwaves.org grep -Eo "$ip" /var/log/exim_failed_logins.log | paste - | sort | uniq >> /var/log/secure_invalid_preauth.log2 echo "=== delete all IPs from the ban-list (user's fixed ips, dns servers/router/proxys etc.) ===" # delete this ip sed -i '/123.123.123.123/d' /var/log/secure_invalid_preauth.log2 # delete this subnet sed -i '/123.123./d' /var/log/secure_invalid_preauth.log2 # delete this subnet sed -i '/123.123./d' /var/log/secure_invalid_preauth.log2 # delete this ip sed -i '/^123.123.123.123/d' /var/log/secure_invalid_preauth.log2 # check if ip already banned iptables -nL > /var/log/secure_invalid_preauth.log3 # iterate over every line of a file and while read line; do if grep -q $line "/var/log/secure_invalid_preauth.log3"; then echo $line" is already banned."; else echo "banning "$line; echo "banning "$line >> /var/log/firewall_autoban.log; /scripts/firewall/ban_ip.sh $line # i hate fail2ban it does not work properly, i just will create an iptable rule directly # fail2ban-client set sshd banip $line; fi done