Here's my script, unmodified. (Experts, be gentle, it's not nearly as efficient as it can be, it's a work in progress) Let me know if it helps, and please post your finished product so that we can see how you did it!
#!/bin/bash
########################################
##
## Extra-simple brute force detection
## script. Use at your own risk!
##
########################################
########################################
##
## Set Variables here!
##
########################################
LOGFILE="/var/log/secure"
BLOCKLIST="/root/bin/firewall/block_list"
TMPFILE="/tmp/punkd.log"
MAX_TRY="10"
DELAY="20"
EMAIL="
[email protected]" # insert email address here for notifications
IPTABLES="/sbin/iptables"
TRUSTED_IPS="x.x.x.x/32" # insert trusted IPs here
########################################
##
## First thing we need to do is clear
## any existing rules, and insert ours
##
########################################
## Reset the firewall...
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
## Open it up for the good guys
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -j ACCEPT
done
## Shut it down for the bad guys
for blocked_ip in $(cat $BLOCKLIST); do
$IPTABLES -A INPUT -s $blocked_ip -j DROP
done
########################################
##
## Here we use a "while" loop to keep
## things rolling...
##
########################################
while true; do
########################################
##
## Count the failures and make a temp
## file in the format of:
## <COUNT> <IPADDR>
##
## May be able to eliminate temp file
## working on that...
##
########################################
grep -E "sshd.+Failed" $LOGFILE |
grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
sort | uniq -c > $TMPFILE
########################################
##
## Use 'exec' to direct the output of
## the tmpfile to 'read' in our next
## loop
##
########################################
exec < $TMPFILE
########################################
##
## Use 'read' to break out the ip and
## the number of occurrences, check
## for existence in block list, and
## block if necessary
##
########################################
while read COUNT IPADDR ; do
## Check to see if the IP is already in the list
PRE=$(grep $IPADDR $BLOCKLIST)
## If it's not in the list...
if [ -z "$PRE" ]; then
## And it occurs greater than or equal to $MAX_TRY times...
if [ "$COUNT" -ge "$MAX_TRY" ]; then
## We drop it into the block list...
echo $IPADDR >> $BLOCKLIST
## Reset the firewall...
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
## Open it up for the good guys
for trusted_ips in $TRUSTED_IPS; do
$IPTABLES -A INPUT -s $trusted_ips -j ACCEPT
done
## Shut it down for the bad guys
for blocked_ip in $(cat $BLOCKLIST); do
$IPTABLES -A INPUT -s $blocked_ip -j DROP
done
## Email ourselves...
echo "$IPADDR ($COUNT failures) is being added to the list" |
mail $EMAIL -s "Auto-punkd - $IPADDR"
## And make a log entry.
logger "$IPADDR ($COUNT failures) is being Auto-punkd"
fi
fi
done
########################################
##
## Sleep for $DELAY seconds, start over
##
########################################
sleep $DELAY
done