script vsftpd hosts.deny or iptables
!/bin/sh
Fill in your own whitelisted hosts here
whitelist="127.0.0.1 1.2.3.4 host home.example.com | sed -e 's/[^0-9]*//'
"
sed -e '/sshd[[0-9]]: Failed password/!d' \ -e 's/.Failed password for.from //' \ -e 's/ port.//' /var/log/secure | sort | uniq -c | \ while read info do set -- $info count=$1 host=$2 whitelisted=0
host=echo $host | sed -e 's/::ffff://'
number_of_usernames=sed -e '/sshd\[[0-9]*\]: Failed password.*from '$host'/!d' -e 's/.*Failed password for //' -e 's/ from .*//' /var/log/secure | sort -u | wc -l
for white in $whitelist ; do if [ "$white" = "$host" ] ; then whitelisted=1 fi done
if [ "$whitelisted" = "1" ] ; then echo "$count attempts from WHITELISTED $host" elif grep -q "ALL:$host" /etc/hosts.deny ; then : #echo "$host is blacklisted" else #echo "$count attempts from $host" #host $host if [ "$count" -gt "14" -o "$number_of_usernames" -gt "4" ] ; then /root/bin/ssh_complain $host else : #echo "WARNING: $host is not blacklisted" fi fi done
sed -e '/vsftpd(pam_unix)[[0-9]]: authentication failure/!d' \ -e 's/.rhost=.from //' \ -e 's/ user=.//' /var/log/messages | sort | uniq -c | \ while read info do set -- $info count=$1 host=$2 whitelisted=0
for white in $whitelist ; do if [ "$white" = "$host" ] ; then whitelisted=1 fi done
if [ "$whitelisted" = "1" ] ; then echo "$count attempts from WHITELISTED $host" elif grep -q "ALL:$host" /etc/hosts.deny ; then : #echo "$host is blacklisted" else #echo "$count attempts from $host" #host $host if [ "$count" -gt "25" ] ; then /root/bin/ftp_complain $host else : #echo "WARNING: $host is not blacklisted" fi fi done