Find and block IP addressed failed to log in.

denyip.sh

#!/bin/bash -

# Bio: I will block those IP addresses who failed to log in.
# Usage: Run me directly with root or add me to cron.
# Author: wzyboy
# Website: https://wzyboy.im/
# Version: 2012-08-09-r4

[[ $EUID -ne 0 ]] && echo "You are not root. Abort." && exit 1
cd /var/log/
echo "I am trying to find out who failed to login..."
zgrep 'Bye' auth.log* | grep -Po '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -nr > auth.log.wzy.sorted
count=$(wc -l auth.log.wzy.sorted | awk '{print $1}')
cat << EOF
I've found $count bad guy(s)!
They are listed in /var/log/auth.log.wzy.sorted
Now I will block them in iptables.
EOF
tmp=$(mktemp /tmp/iptables.XXXXXX)
grep -Po '\d+\.\d+\.\d+\.\d+' auth.log.wzy.sorted > $tmp
iptables -F
for i in $(<$tmp); do
  iptables -I INPUT -s $i -j DROP
done
rm $tmp
echo "Now saving the rules so they can be loaded automatically."
iptables-save > /etc/iptables.rules
cat << EOF
Done! They will never be able to bother $(hostname)!
You can also use this command to view my work:
	sudo iptables -nL
Or just
	sudo iptables -L
if you like resolved hostnames, but it will be slower.
Ciao!
EOF