Skip to content

Instantly share code, notes, and snippets.

@yukoff
Created April 14, 2024 15:45
Show Gist options
  • Save yukoff/daca74423a682ac71a426b67293f16b7 to your computer and use it in GitHub Desktop.
Save yukoff/daca74423a682ac71a426b67293f16b7 to your computer and use it in GitHub Desktop.
Example script to process sshd auth errors retroactively and add CrowdSec decisions
#!/usr/bin/env bash
# log could be /var/log/secure or /var/log/auth.log
zgrep -P 'Invalid user .+? from |Failed password for .+? from ' /var/log/auth.log* \
| grep -Pv $WHITELISTIPS \
| perl -p -e 's/.+? from (\d+\.\d+\.\d+\.\d+) port .+/\1/g' \
| sort -u \
| xargs -I % sudo cscli decisions add --ip % --duration 48h --reason "ssh bruteforce"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment