Wednesday, April 16, 2008

/var/log/messages and Security, Part 2

This morning I blogged about the how to find out what ip addresses the hackers are trying to ssh into your server. In order to be more proactive, I implemented this auto-include script to run as a cron job so that I can automatically include those ip addresses into the /etc/hosts.deny if they are not already there.
#! /bin/sh
# automatically include the top 10 ip addressess that deny ssh login logged in lastb

for i in `lastb -i | awk '$2~/^ssh:/{++s[$3]}END{for(i in s){print i,s[i]}}' | sort -n -k 2 -r | head | cut -f1 -d" "`
        egrep ":$i$|:$i,|,$i,|,$i$" /etc/hosts.deny > /dev/null 2>&1 || echo "sshd:$i" >> /etc/hosts.deny

Labels: , ,


Post a Comment

<< Home