By the way, anyone have a take on what kind of performance hit this will take on a server? So far I have 22 addresses or address ranges blocked in my blacklist. And is there a better way? Most of the attempts have been to try to gain root access via ssh, which root isn't allowed to ssh anyway, so this would always fail. Some are for non-existent users.
Brian Densmore
-----Original Message----- From: Brian Densmore
Well you were right about sed. Not something I could do with sed. I wound up using awk, and temporarily putting the addresses in a separate file until I feel comfortable it won't jack up my firewall.
#!/bin/sh
# list of ip address to allow always MYIP=yyy.yyy.yyy.yyy MYIP2=xxx.xxx.xxx.xxx
# name of logfile to scan - need to variablize so I can call it with an alternate # logfile and default to this lfl=/var/log/auth.log
# ugly all on one line, but it works cat $lfl | grep -i failed\ password | awk '{ print $11 }' |uniq | grep -v $MYIP | grep -v $MYIP2 >> /etc/illegalips.txt
# still to do add commands to extract ips from above file # and add to actual blacklist and call firewall restart
Kclug mailing list [email protected] http://kclug.org/mailman/listinfo/kclug
Brian Densmore ([email protected]) wrote:
By the way, anyone have a take on what kind of performance hit this will take on a server? So far I have 22 addresses or address ranges blocked in my blacklist. And is there a better way? Most of the attempts have been to try to gain root access via ssh, which root isn't allowed to ssh anyway, so this would always fail. Some are for non-existent users.
I guess it depends how often you run it and how big your log file is. Mine was only 128k and took just a second. I guess you could run it hourly or twice a day and not take that much of a performance hit. You'd have to grab the IPs from the log, save them to a text file, then grab the unique IPs, flush the firewall rules, and then generate them again.
Not too terrible, but if you're worried about CPU cycles you might want to come up with a more effecient system. My server isn't hammered all that much so it's not a big deal.
Jeremy
-
Brian Densmore -
Jeremy Turner