Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Get a list of IP addresses trying to attack your CentOS server
# strings to look for in our file
# Note: you could just parse the whole file. But if you put in a bad password your IP
# could end up on the bad guy list
declare -a badstrings=("Failed password for invalid user"
"input_userauth_request: invalid user"
"pam_unix(sshd:auth): check pass; user unknown"
"input_userauth_request: invalid user"
"does not map back to the address"
"pam_unix(sshd:auth): authentication failure"
"input_userauth_request: invalid user"
"reverse mapping checking getaddrinfo for"
"input_userauth_request: invalid user"
# search for each of the strings in your file (this could probably be a one liner)
for i in "${badstrings[@]}"
# look for each term and add new IPs to text file
cat /var/log/secure | grep "$i" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | awk '{print $0}' | sort | uniq >> "temp.txt"
# grab unique ips from temp and put them in a file
cat "temp.txt" | sort | uniq > "badguyips.txt"
# remove the temp file
rm "temp.txt"
Copy link

cmbaughman commented Feb 10, 2020

After getting the ips in a file do:

while IFS= read -r line
  iptables -A INPUT -s $line -j DROP
done < "$input"

service iptables save

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment