Created
February 8, 2020 04:35
-
-
Save JeremyMorgan/94af88899785ea725a55a382f3fd209b to your computer and use it in GitHub Desktop.
Get a list of IP addresses trying to attack your CentOS server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/usr/bin/bash | |
# strings to look for in our file | |
# Note: you could just parse the whole file. But if you put in a bad password your IP | |
# could end up on the bad guy list | |
declare -a badstrings=("Failed password for invalid user" | |
"input_userauth_request: invalid user" | |
"pam_unix(sshd:auth): check pass; user unknown" | |
"input_userauth_request: invalid user" | |
"does not map back to the address" | |
"pam_unix(sshd:auth): authentication failure" | |
"input_userauth_request: invalid user" | |
"reverse mapping checking getaddrinfo for" | |
"input_userauth_request: invalid user" | |
) | |
# search for each of the strings in your file (this could probably be a one liner) | |
for i in "${badstrings[@]}" | |
do | |
# look for each term and add new IPs to text file | |
cat /var/log/secure | grep "$i" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | awk '{print $0}' | sort | uniq >> "temp.txt" | |
done | |
# grab unique ips from temp and put them in a file | |
cat "temp.txt" | sort | uniq > "badguyips.txt" | |
# remove the temp file | |
rm "temp.txt" |
(Came here from your blog) You could put those strings in a file and use
grep
's-f
option.
You might want to look atipset
as well instead of adding individual rules foriptables
for each bad ip.
Thank you! You're right those would likely be easier to manage in their own file.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(Came here from your blog) You could put those strings in a file and use
grep
's-f
option.You might want to look at
ipset
as well instead of adding individual rules foriptables
for each bad ip.