Get a list of IP addresses trying to attack your CentOS server

getbadguys.sh

#/usr/bin/bash
# strings to look for in our file
# Note: you could just parse the whole file. But if you put in a bad password your IP 
# could end up on the bad guy list
declare -a badstrings=("Failed password for invalid user"
                "input_userauth_request: invalid user"
                "pam_unix(sshd:auth): check pass; user unknown"
                "input_userauth_request: invalid user"
                "does not map back to the address"
                "pam_unix(sshd:auth): authentication failure"
                "input_userauth_request: invalid user"
                "reverse mapping checking getaddrinfo for"
                "input_userauth_request: invalid user"
                )
# search for each of the strings in your file (this could probably be a one liner)
for i in "${badstrings[@]}"
    do
    # look for each term and add new IPs to text file
    cat /var/log/secure | grep "$i" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | awk '{print $0}' | sort | uniq >> "temp.txt"
    done

# grab unique ips from temp and put them in a file
cat "temp.txt" | sort | uniq > "badguyips.txt"
# remove the temp file
rm "temp.txt"

(Came here from your blog) You could put those strings in a file and use grep's -f option.
You might want to look at ipset as well instead of adding individual rules for iptables for each bad ip.

(Came here from your blog) You could put those strings in a file and use grep's -f option.
You might want to look at ipset as well instead of adding individual rules for iptables for each bad ip.

Thank you! You're right those would likely be easier to manage in their own file.