Skip to content

Instantly share code, notes, and snippets.


wzyboy/ Secret

Created Aug 6, 2012
What would you like to do?
Find and block IP addressed failed to log in.
#!/bin/bash -
# Bio: I will block those IP addresses who failed to log in.
# Usage: Run me directly with root or add me to cron.
# Author: wzyboy
# Website:
# Version: 2012-08-09-r4
[[ $EUID -ne 0 ]] && echo "You are not root. Abort." && exit 1
cd /var/log/
echo "I am trying to find out who failed to login..."
zgrep 'Bye' auth.log* | grep -Po '\d+\.\d+\.\d+\.\d+' | sort | uniq -c | sort -nr > auth.log.wzy.sorted
count=$(wc -l auth.log.wzy.sorted | awk '{print $1}')
cat << EOF
I've found $count bad guy(s)!
They are listed in /var/log/auth.log.wzy.sorted
Now I will block them in iptables.
tmp=$(mktemp /tmp/iptables.XXXXXX)
grep -Po '\d+\.\d+\.\d+\.\d+' auth.log.wzy.sorted > $tmp
iptables -F
for i in $(<$tmp); do
iptables -I INPUT -s $i -j DROP
rm $tmp
echo "Now saving the rules so they can be loaded automatically."
iptables-save > /etc/iptables.rules
cat << EOF
Done! They will never be able to bother $(hostname)!
You can also use this command to view my work:
sudo iptables -nL
Or just
sudo iptables -L
if you like resolved hostnames, but it will be slower.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.