Skip to content

Instantly share code, notes, and snippets.

@JeremyMorgan
Created February 8, 2020 04:35
Show Gist options
  • Save JeremyMorgan/94af88899785ea725a55a382f3fd209b to your computer and use it in GitHub Desktop.
Save JeremyMorgan/94af88899785ea725a55a382f3fd209b to your computer and use it in GitHub Desktop.
Get a list of IP addresses trying to attack your CentOS server
#/usr/bin/bash
# strings to look for in our file
# Note: you could just parse the whole file. But if you put in a bad password your IP
# could end up on the bad guy list
declare -a badstrings=("Failed password for invalid user"
"input_userauth_request: invalid user"
"pam_unix(sshd:auth): check pass; user unknown"
"input_userauth_request: invalid user"
"does not map back to the address"
"pam_unix(sshd:auth): authentication failure"
"input_userauth_request: invalid user"
"reverse mapping checking getaddrinfo for"
"input_userauth_request: invalid user"
)
# search for each of the strings in your file (this could probably be a one liner)
for i in "${badstrings[@]}"
do
# look for each term and add new IPs to text file
cat /var/log/secure | grep "$i" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | awk '{print $0}' | sort | uniq >> "temp.txt"
done
# grab unique ips from temp and put them in a file
cat "temp.txt" | sort | uniq > "badguyips.txt"
# remove the temp file
rm "temp.txt"
@mynamewastaken
Copy link

mynamewastaken commented Feb 8, 2020

(Came here from your blog) You could put those strings in a file and use grep's -f option.
You might want to look at ipset as well instead of adding individual rules for iptables for each bad ip.

@JeremyMorgan
Copy link
Author

(Came here from your blog) You could put those strings in a file and use grep's -f option.
You might want to look at ipset as well instead of adding individual rules for iptables for each bad ip.

Thank you! You're right those would likely be easier to manage in their own file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment