BlockIPsAuth.pl

#!/usr/bin/perl
#
# Checks auth.log for breakin attempts
#
# Author Anton Lindstrom
# antonlindstrom.com
use warnings;
use strict;

my $logfile = "/var/log/auth.log";
my $csvfile = "users.csv";

# Argument for block
my $argument = 0; 
$argument = $ARGV[0] if ($ARGV[0]);

# Open $logfile
open(AUTH, $logfile) or die("File $logfile unreadable! \n$!");
my @auth = <AUTH>;
close(AUTH);

# Hashes with IPs and usernames
my %ips;
my %users;

# Go through rows in @auth
foreach (@auth) {
  next if ($_ !~ /sshd/);

  print "";

  my $failedpassusers = "failed password for";
  my $failedpassinvalid = "failed password for invalid user";
  # time, server, process[id], trash, trash, trash, username, ip.
  $_ =~ m/(\w+\s\d+\s\d+:\d+:\d+)\s([\w\-\.]+)\s(.+)\:\s((($failedpassusers|$failedpassinvalid) ([\w\-\_]+) from ([\d\.]+)?))/gi;

  if ($1 && $8) {
   # Set username and ip in hashes.
   if ( exists($ips{$8}) ) { $ips{$8} += 1; }
   else { $ips{$8} = 1; }
   
   if ( exists($users{$7}) ) { $users{$7} += 1; }
   else { $users{$7} = 1; }
  }
}

my $cmd; 
my $block = 0;
my @iptables_notblock = `iptables -L INPUT -n`;

print "IPs:\n";
foreach my $ip ( sort { $ips{$b} <=> $ips{$a} } keys %ips ) {
  $block = 1 unless ( grep(/$ip/, @iptables_notblock) );
  $cmd = "iptables -I INPUT -s $ip -p tcp --destination-port ssh -j DROP";
  print "  $ips{$ip}\tfailed login attempts from $ip\n";
  system($cmd) if ($ips{$ip} > 5 && $argument eq "-b" && $block == 1);
}


print "\nBlocked:\n";

# Print iptables
my @iptables = `iptables -L INPUT -n 2>/dev/null`;

foreach (@iptables) {
  $_ =~ m/([1-2]?(([0-9]{1,2})?\.\d+\.\d+\.\d+))/g;
  print "\t[BLOCKED!] $1\n" if($1);
}

# Print users to csv.
open (CSV, "> $csvfile") or die ("File $csvfile unreadable! \n$!");
# Print
print "\nFrequent failed users are in $csvfile..\n";
foreach my $user ( sort { $users{$b} <=> $users{$a} } keys %users ) {
  print CSV "$users{$user},$user\n";
}
# Close
close(CSV);