Mas sencillo: #!/bin/bash ############################################################## for i in $(grep Invalid /var/log/messages|awk '{print $10}'|sort -u |sed -e "s/::ffff://g"); do iptables -A INPUT -p tcp --dport 22 -s $i -j DROP done ############################################################## Lo guardas en /bin, le das un chmod +x <archivo> y lo añades al cron (crontab -u root -e): 10 * * * * /bin/<archivo> salu2 El Miércoles, 26 de Enero de 2005 21:14, Aquiles escribió:
Hace un tiempo, mantuvimos un hilo acerca de como securizar el servicio ssh. http://lists.suse.com/archive/suse-linux-s/2005-Jan/0113.html
Me acuerdo que surgió la duda de cómo hacer que los usuarios ilegales fueran incluídos automáticamente en una lista negra; bien, pues hoy leyendo el grupo de news de security, he dado con esto:
#!/bin/csh
#Made by Jack-Benny, founder of cyberinfo.se, bluedogsecurity.cyberinfo.se #and linuxsecurity.cyberinfo.se #This is a script I wrote to automaticly block the SSH probes. #The code is pretty quick written and not fancy in anyway, but for #me it works like a dream! #If you find any bugs or have any improvments or suggestions #please drop me an e-mail: jake@cyberinfo.se
#A short explanation of how it works: #The script first uses grep to find the word Invalid in the #/var/log/messages file. #Then it takes field number 10 (Field separator is a whitespace) #wich is the IP number. #It then compares this to the "history" file and prints any new #IP's in the file new_ip. #Then the file new_ip is processed with sed ("old" IP's have #tab in front of them, "new" ones don't) #It is then written to file block_this and a black list (used #for backup purpose) #Finaly the new IP's are inserted to an IPTABLES command wich #blocks the IP access to port 22 #By the way: Sorry for the long lines, don't split them up, #it won't work if you do!!! #MUST BE RUN AS ROOT, it could also be a good idea to run it #in a separate directory as it genarates a lot of files...
touch hist_ip
START:
sleep 10 grep Invalid /var/log/messages > ips cat ips | awk '{ FS = " " } { print $10 | "uniq" }' | sort | uniq > ext_ip comm -1 hist_ip ext_ip > new_ip cat ips | awk '{ FS = " " } { print $10 | "uniq" }' | sort | uniq > hist_ip cat new_ip | sed -e '/^\t/d' > block_this cat block_this >> black_list.txt cat block_this | awk '{ system("iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP -s " $0 )}'
goto START
---End of code---
No lo he probado (ya tengo mi propio sistema de lista negra) y, además, no soy un experto en scripting y no entiendo todo el código, pero por lo que śe, tiene buena pinta. A ver si a alguien le es de utilidad.
-- ¡Share your knowledge!
Linux user id 332494 # http://counter.li.org/ PGP id 0xC5ABA76A # http://pgp.mit.edu/