Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Get a list of IP addresses trying to attack your CentOS server
#/usr/bin/bash
# strings to look for in our file
# Note: you could just parse the whole file. But if you put in a bad password your IP
# could end up on the bad guy list
declare -a badstrings=("Failed password for invalid user"
"input_userauth_request: invalid user"
"pam_unix(sshd:auth): check pass; user unknown"
"input_userauth_request: invalid user"
"does not map back to the address"
"pam_unix(sshd:auth): authentication failure"
"input_userauth_request: invalid user"
"reverse mapping checking getaddrinfo for"
"input_userauth_request: invalid user"
)
# search for each of the strings in your file (this could probably be a one liner)
for i in "${badstrings[@]}"
do
# look for each term and add new IPs to text file
cat /var/log/secure | grep "$i" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | awk '{print $0}' | sort | uniq >> "temp.txt"
done
# grab unique ips from temp and put them in a file
cat "temp.txt" | sort | uniq > "badguyips.txt"
# remove the temp file
rm "temp.txt"
@cmbaughman
Copy link
Author

cmbaughman commented Feb 10, 2020

After getting the ips in a file do:

#!/bin/bash
input="badguyips.txt"
while IFS= read -r line
do
  iptables -A INPUT -s $line -j DROP
done < "$input"

service iptables save

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment