deadbok/gist:77118bfd16a77125b195

## gistfile1.sh
#!/bin/sh
#
# dropBrute.sh by robzr
#
# minimalist OpenWRT/dropbear ssh brute force attack banning script
#
# Installation steps:
#
# 1) Optionally edit the variables in the header of this script to customise
#    for your environment
#
# 2) Insert a reference for this rule in your firewall script before you
#    accept ssh, something like:
#
#    iptables -N logndrop
#    iptables -N dropBrute
#    iptables -A logndrop -j LOG
#    iptables -A logndrop -j DROP
#    iptables -A input_rule -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
#    iptables -A input_rule -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j logndrop
#    iptables -A input_rule -p tcp --dport 22 -j dropBrute
#
#    This will block the brute force attack until the IP is banned by the script
#
# 3) Run the script periodically out of cron:
#
#    echo '*/10 * * * * /usr/sbin/dropBrute.sh 2>&1 >> /tmp/dropBrute.log' >> /etc/crontabs/root
#
# 4) If cron is not enabled, you'll also need to run the following:
#
#    /etc/init.d/cron enable && /etc/init.d/cron start
#
#
# To whitelist hosts or networks, simply add a manual entry to the lease
# file with a leasetime of -1.  This can be done with the following syntax:
#
#    echo -1 192.168.1.0/24 >> /tmp/dropBrute.leases
#
# A static, or non-expiring blacklist of a host or network can also be
# added, just use a lease time of 0.  This can be done with the following syntax:
#
#    echo 0 1.2.3.0/24 >> /tmp/dropBrute.leases

# How many bad attempts before banning. Only the log entries from the
# current day are checked.
allowedAttempts=10

# How long IPs are banned for
# default is 1 day
secondsToBan=$((1*60*60*24))

# the "lease" file - defaults to /tmp which does not persist across reboots
leaseFile=/tmp/dropBrute.leases

# This is the iptables chain that drop commands will go into.
# you will need to put a reference in your firewall rules for this
iptChain=dropBrute

# the IP Tables drop rule
iptDropRule='-j DROP'

# the IP Tables whitelist rule
iptWhiteRule='-j RETURN'

# You can put default leasefile entries in the following space.
# Syntax is simply "leasetime _space_ IP_or_network".  A leasetime of -1 is a
# whitelist entry, and a leastime of 0 is a permanent blacklist entry.
[ -f $leaseFile ] || cat <<__EOF__>>$leaseFile
-1 192.168.1.0/24
__EOF__

# End of user customizable variables (unless you know better :) )

ipt='/usr/sbin/iptables'

[ `date +'%s'` -lt 1320000000 ] && echo System date not set, aborting. && exit -1
$ipt -N $iptChain >&/dev/null

now=`date +'%s'`
nowPlus=$((now + secondsToBan))

echo Running dropBrute on `date` \($now\)

# find new badIPs
for badIP in `logread | fgrep dropbear | egrep -i 'login attempt for nonexistent user'\|'bad password attempt for'| sed 's/^.*from //' | sed 's/:.*$//' | sort -u` ; do
  found=`logread | fgrep dropbear | egrep -i 'login attempt for nonexistent user'\|'bad password attempt for'|sed 's/^.*from //'|sed 's/:.*$//' | fgrep $badIP | wc -l`
  if [ $found -gt $allowedAttempts ] ; then
    # if there is not a lease, add it
    if [ $(egrep -c $badIP$ $leaseFile) -eq 0 ] ; then
       echo $nowPlus $badIP >> $leaseFile
    fi
  fi
done

# now parse the leaseFile
cat $leaseFile | while read lease ; do
  leaseTime=`echo $lease|cut -f1 -d\ `
  leaseIP=`echo $lease|cut -f2 -d\ `
  # when used with the iptables example on the top a return rule is not needed
  if [ $leaseTime -lt 0 ] ; then
    if [ `$ipt -S $leaseChain|egrep \ $leaseIP/32\ \|\ $leaseIP\ |fgrep -- "$iptWhiteRule"| wc -l` -lt 1 ] ; then
      #echo Adding new whitelist rule for $leaseIP
      #$ipt -I $iptChain -s $leaseIP $iptWhiteRule
      true
    fi
  elif [ $leaseTime -ge 1 -a $now -gt $leaseTime ] ; then
    echo Expiring lease for $leaseIP
    $ipt -D $iptChain -s $leaseIP $iptDropRule
    $ipt -D $iptChain -s $leaseIP -j LOG --log-prefix "dropBrute "
    sed -i /$leaseIP/d $leaseFile
  elif [ $leaseTime -ge 0 -a `$ipt -S $leaseChain|egrep \ $leaseIP/32\ \|\ $leaseIP\ |wc -l` -lt 1 ] ; then
    echo Adding new rule for $leaseIP
    $ipt -I $iptChain -s $leaseIP $iptDropRule
    $ipt -I $iptChain -s $leaseIP -j LOG --log-prefix "dropBrute "
  fi
done < $leaseFile
	#!/bin/sh
	#
	# dropBrute.sh by robzr
	#
	# minimalist OpenWRT/dropbear ssh brute force attack banning script
	#
	# Installation steps:
	#
	# 1) Optionally edit the variables in the header of this script to customise
	# for your environment
	#
	# 2) Insert a reference for this rule in your firewall script before you
	# accept ssh, something like:
	#
	# iptables -N logndrop
	# iptables -N dropBrute
	# iptables -A logndrop -j LOG
	# iptables -A logndrop -j DROP
	# iptables -A input_rule -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set
	# iptables -A input_rule -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j logndrop
	# iptables -A input_rule -p tcp --dport 22 -j dropBrute
	#
	# This will block the brute force attack until the IP is banned by the script
	#
	# 3) Run the script periodically out of cron:
	#
	# echo '/10 * * * /usr/sbin/dropBrute.sh 2>&1 >> /tmp/dropBrute.log' >> /etc/crontabs/root
	#
	# 4) If cron is not enabled, you'll also need to run the following:
	#
	# /etc/init.d/cron enable && /etc/init.d/cron start
	#
	#
	# To whitelist hosts or networks, simply add a manual entry to the lease
	# file with a leasetime of -1. This can be done with the following syntax:
	#
	# echo -1 192.168.1.0/24 >> /tmp/dropBrute.leases
	#
	# A static, or non-expiring blacklist of a host or network can also be
	# added, just use a lease time of 0. This can be done with the following syntax:
	#
	# echo 0 1.2.3.0/24 >> /tmp/dropBrute.leases

	# How many bad attempts before banning. Only the log entries from the
	# current day are checked.
	allowedAttempts=10

	# How long IPs are banned for
	# default is 1 day
	secondsToBan=$((16060*24))

	# the "lease" file - defaults to /tmp which does not persist across reboots
	leaseFile=/tmp/dropBrute.leases

	# This is the iptables chain that drop commands will go into.
	# you will need to put a reference in your firewall rules for this
	iptChain=dropBrute

	# the IP Tables drop rule
	iptDropRule='-j DROP'

	# the IP Tables whitelist rule
	iptWhiteRule='-j RETURN'

	# You can put default leasefile entries in the following space.
	# Syntax is simply "leasetime _space_ IP_or_network". A leasetime of -1 is a
	# whitelist entry, and a leastime of 0 is a permanent blacklist entry.
	[ -f $leaseFile ] \|\| cat <<__EOF__>>$leaseFile
	-1 192.168.1.0/24
	__EOF__

	# End of user customizable variables (unless you know better :) )

	ipt='/usr/sbin/iptables'

	[ `date +'%s'` -lt 1320000000 ] && echo System date not set, aborting. && exit -1
	$ipt -N $iptChain >&/dev/null

	now=`date +'%s'`
	nowPlus=$((now + secondsToBan))

	echo Running dropBrute on `date` \($now\)

	# find new badIPs
	for badIP in `logread \| fgrep dropbear \| egrep -i 'login attempt for nonexistent user'\\|'bad password attempt for'\| sed 's/^.from //' \| sed 's/:.$//' \| sort -u` ; do
	found=`logread \| fgrep dropbear \| egrep -i 'login attempt for nonexistent user'\\|'bad password attempt for'\|sed 's/^.from //'\|sed 's/:.$//' \| fgrep $badIP \| wc -l`
	if [ $found -gt $allowedAttempts ] ; then
	# if there is not a lease, add it
	if [ $(egrep -c $badIP$ $leaseFile) -eq 0 ] ; then
	echo $nowPlus $badIP >> $leaseFile
	fi
	fi
	done

	# now parse the leaseFile
	cat $leaseFile \| while read lease ; do
	leaseTime=`echo $lease\|cut -f1 -d\ `
	leaseIP=`echo $lease\|cut -f2 -d\ `
	# when used with the iptables example on the top a return rule is not needed
	if [ $leaseTime -lt 0 ] ; then
	if [ `$ipt -S $leaseChain\|egrep \ $leaseIP/32\ \\|\ $leaseIP\ \|fgrep -- "$iptWhiteRule"\| wc -l` -lt 1 ] ; then
	#echo Adding new whitelist rule for $leaseIP
	#$ipt -I $iptChain -s $leaseIP $iptWhiteRule
	true
	fi
	elif [ $leaseTime -ge 1 -a $now -gt $leaseTime ] ; then
	echo Expiring lease for $leaseIP
	$ipt -D $iptChain -s $leaseIP $iptDropRule
	$ipt -D $iptChain -s $leaseIP -j LOG --log-prefix "dropBrute "
	sed -i /$leaseIP/d $leaseFile
	elif [ $leaseTime -ge 0 -a `$ipt -S $leaseChain\|egrep \ $leaseIP/32\ \\|\ $leaseIP\ \|wc -l` -lt 1 ] ; then
	echo Adding new rule for $leaseIP
	$ipt -I $iptChain -s $leaseIP $iptDropRule
	$ipt -I $iptChain -s $leaseIP -j LOG --log-prefix "dropBrute "
	fi
	done < $leaseFile