Slowing brute force hackers

I now use denyhosts, which is available via yum, but a while back I used the solution below.

I found this post on novell.com for a script to stop hackers. I altered mine and think this may be helpful to others.

Here is the original post: http://www.novell.com/coolsolutions/trench/16341.html

I installed this script on the crontab. It effectivly blocks specific hack attempts, in a semi-permanent way. Each night, logrotate wipes out the log of the hacks and stops blocking the ip. In one light this is good. It blocks the offending IP log enough to prevent harm, and later opens it back up since, most likely, it's a DHCP address anyway.

The next step for me is to run a script pre-logrotate to save the offending IP address for historical analysis and potential abuse reports.


Here are my changes:

#!/bin/bash
# AUTHOR: By Chander Ganesan

LAST_IP=0.0.0.0
COUNT=1

# Set MAXCOUNT to the maximum failures allowed before blacklisting
MAXCOUNT=5

#
# The three lines below put the leading lines in /etc/hosts.allow
# Note: This script overwrites the entire /etc/hosts.allow file.
#

echo '
# /etc/hosts.deny
# See "man tcpd" and "man 5 hosts_access" as well as /etc/hosts.allow
# for a detailed description.
http-rman : ALL EXCEPT LOCAL' > /etc/hosts.deny

#
# Scan the /var/log/messages file for failed login attempts via ssh.
# Parse out the IP address, and count the failure occurances from that IP
# If the IP fails more than 5 times - deny further access
#
# RSS: Changed grep to search for "Failed password". Added second sed command
for IP in `/bin/grep sshd /var/log/secure|/bin/grep "Failed password"|/bin/sed
's/^.*from :*[a-z]*://'|/bin/sed 's/ .*//'` 0.0.0.0; do
if [ ${LAST_IP} == ${IP} ]; then
     let COUNT=${COUNT}+1
else
     if [ ${COUNT} -ge ${MAXCOUNT} ]; then
        echo "ALL: ${LAST_IP}" >> /etc/hosts.deny
     fi
     LAST_IP=${IP}
     COUNT=1
fi
done