Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Blocking IP's from vsftp? Solved
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Hydraulix
Guru
Guru


Joined: 12 Dec 2003
Posts: 447
Location: Baltimore, Maryland

PostPosted: Tue Apr 25, 2006 6:50 am    Post subject: Blocking IP's from vsftp? Solved Reply with quote

In my vsftp.log I'm seeing this...

Code:

Tue Apr 25 02:45:43 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:45:46 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:45:49 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:45:51 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:45:54 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:45:56 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:45:59 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:02 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:04 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:07 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:10 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:12 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:14 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:17 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:19 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:22 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:25 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:27 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:30 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:33 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:35 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:37 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:40 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:43 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:46 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:48 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:51 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:53 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:56 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:46:59 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:02 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:05 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:07 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:10 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:13 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:16 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:18 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:21 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:24 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:27 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:29 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:32 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:34 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:37 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:40 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:42 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:45 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:48 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:51 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:53 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:56 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:47:59 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:02 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:05 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:07 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:10 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:13 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:16 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:19 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:22 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:24 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:27 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:30 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:33 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:36 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:39 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:42 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:45 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:47 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:50 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:53 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:55 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:48:59 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:01 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:04 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:07 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:10 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:13 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:16 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:19 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:22 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:24 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:27 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:30 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:33 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:36 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:38 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:41 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:43 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:46 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"
Tue Apr 25 02:49:49 2006 [pid 20068] [Administrator] FAIL LOGIN: Client "61.9.150.64"


Now I have denyhosts running to block SSH attempts. But how would I configure it to block FTP attempts?
_________________
It is the fate of operating systems to become free.
- Neal Stephenson

If only You and Dead people can read hex, how many people can read hex?


Last edited by Hydraulix on Tue Jul 18, 2006 6:03 am; edited 1 time in total
Back to top
View user's profile Send private message
wjholden
l33t
l33t


Joined: 01 Mar 2004
Posts: 826
Location: Augusta, GA

PostPosted: Tue Apr 25, 2006 1:17 pm    Post subject: Reply with quote

After checking man 5 vsftpd.conf, I'm afraid VSFTPD doesn't contain a native method for blocking hosts. I would recommend reporting the offending IP address to your ISP and blocking it through a firewall such as IP tables.
Back to top
View user's profile Send private message
Hydraulix
Guru
Guru


Joined: 12 Dec 2003
Posts: 447
Location: Baltimore, Maryland

PostPosted: Wed Apr 26, 2006 4:30 am    Post subject: Reply with quote

destuxor wrote:
After checking man 5 vsftpd.conf, I'm afraid VSFTPD doesn't contain a native method for blocking hosts. I would recommend reporting the offending IP address to your ISP and blocking it through a firewall such as IP tables.



Hmm. I'll check out iptables. Is there a script where I can just add an IP to block it using iptables?
_________________
It is the fate of operating systems to become free.
- Neal Stephenson

If only You and Dead people can read hex, how many people can read hex?
Back to top
View user's profile Send private message
expat_iain
Guru
Guru


Joined: 09 Jan 2004
Posts: 361
Location: Malta GC

PostPosted: Wed Apr 26, 2006 11:17 am    Post subject: Reply with quote

Code:
#!/bin/bash
iptables -I INPUT 1 -s 61.9.150.64 -j DROP
Back to top
View user's profile Send private message
wjholden
l33t
l33t


Joined: 01 Mar 2004
Posts: 826
Location: Augusta, GA

PostPosted: Wed Apr 26, 2006 8:25 pm    Post subject: Script Reply with quote

How do you like this? I felt like coding something, so I wrote a program to run through the logfile and block people with too many failed logins. If you like it, save it to block.pl (or whatever), "chmod u+x block.pl", and then "./block.pl" to execute. You could then put it in your cron daemon if you really like it.
Have fun. If you find any bugs or want an extra feature tell me and I'll see what I can do.
Code:
#!/usr/bin/perl -w
# destuxor (wjholden@gmail.com) - 4/26/2006
# A simple script to go through a VSFTPD log and block people who have
# unsuccessfully attempted to log in.

#configuration options:
$logfilename = 'testlogfile.txt'; # location of your logfile.
$allow_exceptions = 0; # if you wish to specify a file to put exceptions into,
                       # say 1 here, otherwise put 0.
$exception_file = '';  # if you said 1 above, put your filename here.
$max_failures = 50;    # maximum number of failures someone can have before
                       # getting blocked.
#end of configuration options

$command = 'grep \'FAIL LOGIN\' '.$logfilename.' | sed -r \'s/^.{0,}Client .//\' | sed -r \'s/\"//\' | uniq -c';

@connected_ips = `$command`;


undef %noblock;
if ($allow_exceptions == 1) {
    open (FH, $exception_file) or die "$!\n";
    @exceptions = <FH>;
    close (FH);
}

foreach $ip (@exceptions) {
    $noblock{$ip} = 1;
}

foreach $host (@connected_ips)
{
    @info = split(/\s+/, $host);
    if (($info[1] > $max_failures) and !$noblock{$info[2]}) {
        system("iptables -I INPUT 1 -s $info[2] -j DROP");
    }
}
Back to top
View user's profile Send private message
Hydraulix
Guru
Guru


Joined: 12 Dec 2003
Posts: 447
Location: Baltimore, Maryland

PostPosted: Fri Apr 28, 2006 6:37 pm    Post subject: Re: Script Reply with quote

destuxor wrote:
How do you like this? I felt like coding something, so I wrote a program to run through the logfile and block people with too many failed logins. If you like it, save it to block.pl (or whatever), "chmod u+x block.pl", and then "./block.pl" to execute. You could then put it in your cron daemon if you really like it.
Have fun. If you find any bugs or want an extra feature tell me and I'll see what I can do.
Code:
#!/usr/bin/perl -w
# destuxor (wjholden@gmail.com) - 4/26/2006
# A simple script to go through a VSFTPD log and block people who have
# unsuccessfully attempted to log in.

#configuration options:
$logfilename = 'testlogfile.txt'; # location of your logfile.
$allow_exceptions = 0; # if you wish to specify a file to put exceptions into,
                       # say 1 here, otherwise put 0.
$exception_file = '';  # if you said 1 above, put your filename here.
$max_failures = 50;    # maximum number of failures someone can have before
                       # getting blocked.
#end of configuration options

$command = 'grep \'FAIL LOGIN\' '.$logfilename.' | sed -r \'s/^.{0,}Client .//\' | sed -r \'s/\"//\' | uniq -c';

@connected_ips = `$command`;


undef %noblock;
if ($allow_exceptions == 1) {
    open (FH, $exception_file) or die "$!\n";
    @exceptions = <FH>;
    close (FH);
}

foreach $ip (@exceptions) {
    $noblock{$ip} = 1;
}

foreach $host (@connected_ips)
{
    @info = split(/\s+/, $host);
    if (($info[1] > $max_failures) and !$noblock{$info[2]}) {
        system("iptables -I INPUT 1 -s $info[2] -j DROP");
    }
}



Very nice!! I'll have to give this a shot when I get home.

Thanks! :)
_________________
It is the fate of operating systems to become free.
- Neal Stephenson

If only You and Dead people can read hex, how many people can read hex?
Back to top
View user's profile Send private message
wjholden
l33t
l33t


Joined: 01 Mar 2004
Posts: 826
Location: Augusta, GA

PostPosted: Fri Apr 28, 2006 10:51 pm    Post subject: Reply with quote

I just hope it works...I have had "xferlog_std_format=YES" in my VSFTPD configuration for a year and a half. Too late to change now :(
Plus I don't have IP Tables installed on this box. What I'm trying to say is, that code hasn't been tested much (it compiles, it runs, it should work), so if you run into any problems at all I'll be glad to work on it.
Back to top
View user's profile Send private message
Hydraulix
Guru
Guru


Joined: 12 Dec 2003
Posts: 447
Location: Baltimore, Maryland

PostPosted: Fri Jul 14, 2006 4:43 pm    Post subject: Reply with quote

destuxor wrote:
I just hope it works...I have had "xferlog_std_format=YES" in my VSFTPD configuration for a year and a half. Too late to change now :(
Plus I don't have IP Tables installed on this box. What I'm trying to say is, that code hasn't been tested much (it compiles, it runs, it should work), so if you run into any problems at all I'll be glad to work on it.



I finally got around on trying your script. When I run it, it just hangs. Any idea?


Nevermind I installed fail2ban and that seems to work. Thanks again for the help. :D
_________________
It is the fate of operating systems to become free.
- Neal Stephenson

If only You and Dead people can read hex, how many people can read hex?
Back to top
View user's profile Send private message
JROCK2004
Guru
Guru


Joined: 02 Mar 2004
Posts: 450
Location: PA

PostPosted: Fri Nov 24, 2006 3:30 pm    Post subject: Reply with quote

is there a different way then iptables
Back to top
View user's profile Send private message
Growlizing
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jul 2005
Posts: 94

PostPosted: Tue Jan 16, 2007 2:06 pm    Post subject: Reply with quote

Could you post your failregex for fail2ban please? Would be very much appreciated :)
_________________
Is this where I write something clever?
Back to top
View user's profile Send private message
zendmaster
Apprentice
Apprentice


Joined: 06 Nov 2003
Posts: 204
Location: Tisdale, Saskatchewan, Canada

PostPosted: Mon Apr 09, 2007 6:45 pm    Post subject: Reply with quote

I know this is an older thread, but I was just working on this. I had trouble getting fail2ban to work for vsftpd. Thought I would post how I got it to work since I couldn't find it in these forums.

First I had to go into my kernel configuration and turn on iptables. That was the easy part. The hard part was finding a failregex for vsftpd. I finally found one that worked. It is:

Code:

failregex = \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$


Hope this helps others. I should also mention that this is fail2ban-0.6.2-r1

I tried 0.7.6-r1, but I found it would only monitor vsftd and email a warning. It didn't ban the ip. The earlier version works to ban the ip.
Back to top
View user's profile Send private message
TauRush
n00b
n00b


Joined: 07 May 2007
Posts: 1

PostPosted: Mon May 07, 2007 10:50 am    Post subject: Reply with quote

I was looking for a script to stop those ftp attacks some time ago and finally found this forum.
Although I am not using Gentoo (but Fedora) I gave the script of destuxor a try.
After fixing some small issues and adding a permanent banlist, I have it working at home and at the office for some time now.
I am running the script every 2 minutes through a cronjob, to keep the amount of attacks small and also my logfiles don't overflow.

Thanks to destuxor for the initial setup of the script.

Here is my adjusted script for all to use.

Code:

#!/usr/bin/perl -w
# destuxor (wjholden@gmail.com) - 4/26/2006
# TauRush (snakesandarrows@gmail.com) - 3/17/2007
# A simple script to go through a VSFTPD log and block people who have
# unsuccessfully attempted to log in.

#configuration options:
$logfilename = '/var/log/vsftpd/vsftpd.log'; # location of your logfile.
$allow_exceptions = 1; # if you wish to specify a file to put exceptions into,
                       # say 1 here, otherwise put 0.
$exception_file = '/var/log/vsftpd/banned.log';  # if you said 1 above, put your filename here.
$max_failures = 5;    # maximum number of failures someone can have before
                       # getting blocked.
#end of configuration options

$command = 'grep \'FAIL LOGIN\' '.$logfilename.' | sed -r \'s/^.{0,}Client .//\' | sed -r \'s/\"//\' | uniq -c';

@connected_ips = `$command`;


undef %noblock;
if ($allow_exceptions == 1) {
    open (FH, $exception_file) or die "$!\n";
    @exceptions = <FH>;
    close (FH);
}

foreach $ip (@exceptions) {
# Added by TauRush to chop LF character
    chop ($ip);
    $noblock{"$ip"} = 1;
}

foreach $host (@connected_ips)
{
    @info = split(/\s+/, $host);
    if (($info[1] > $max_failures) and !$noblock{$info[2]}) {
        system("/sbin/iptables -I INPUT 1 -s $info[2] -j DROP");
# 3 lines added by TauRush to create banned.log file
        open FILE,">>$exception_file" or die "Unable to open file!\n";
        print FILE "$info[2]\n";
   close FILE;
    }
}

Back to top
View user's profile Send private message
wjholden
l33t
l33t


Joined: 01 Mar 2004
Posts: 826
Location: Augusta, GA

PostPosted: Sat Feb 28, 2009 6:20 pm    Post subject: Reply with quote

So I was googling my own name and ran across this. If anyone is using this script it may be useful to see what others have done with it:
http://ubuntuforums.org/archive/index.php/t-428806.html.
http://www.nslu2-linux.org/wiki/HowTo/SetupIPBlockingOnVSFTPD
Back to top
View user's profile Send private message
jeffrehley
n00b
n00b


Joined: 23 May 2010
Posts: 1

PostPosted: Sun May 23, 2010 8:34 pm    Post subject: Reply with quote

I added a bit to ban failed login attempts as well...

#!/usr/bin/perl -w
# destuxor (wjholden@gmail.com) - 4/26/2006
# TauRush (snakesandarrows@gmail.com) - 3/17/2007
# jeffrehley (jeffrehley@hotmail.com) - 5/21/2010 - look for failed attempts in auth.log as well
# A simple script to go through a VSFTPD log and block people who have
# unsuccessfully attempted to log in.

#configuration options:
$logfilename1 = '/var/log/vsftpd.log'; # location of ftp logfile.
$logfilename2 = '/var/log/auth.log '; # location of auth logfile.

$allow_exceptions = 1; # if you wish to specify a file to put exceptions into,
# say 1 here, otherwise put 0.

$exception_file = '/var/log/banned.log'; # if you said 1 above, put your filename here.


$max_failures = 5; # maximum number of failures someone can have before
# getting blocked.
#end of configuration options

$command1 = 'grep \'FAIL LOGIN\' '.$logfilename1.' | sed -r \'s/^.{0,}Client .//\' | sed -r \'s/\"//\' | uniq -c';
$command2 = 'grep \'Failed password for invalid user\' '.$logfilename2.' | cut -f 4 -d: | awk \'{print $8}\' | uniq -c';
$command3 = 'grep \'Failed password for root\' '.$logfilename2.' | cut -f 4 -d: | awk \'{print $6}\' | uniq -c';

@connected_ips1 = `$command1`;
@connected_ips2 = `$command2`;
@connected_ips3 = `$command3`;

push (@connected_ips,@connected_ips1);
push (@connected_ips,@connected_ips2);
push (@connected_ips,@connected_ips3);

#print @connected_ips;

undef %noblock;
if ($allow_exceptions == 1) {
open (FH, $exception_file) or die "$!\n";
@exceptions = <FH>;
close (FH);
}

foreach $ip (@exceptions) {
# Added by TauRush to chop LF character
chop ($ip);
$noblock{"$ip"} = 1;
}

foreach $host (@connected_ips)
{
@info = split(/\s+/, $host);

if (($info[1] > $max_failures) and !$noblock{$info[2]}) {
system("iptables -I INPUT 1 -s $info[2] -j DROP");
# 3 lines added by TauRush to create banned.log file
open FILE,">>$exception_file" or die "Unable to open file!\n";
print FILE "$info[2]\n";
close FILE;
}
}
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum