Block SSH Brute Force Attacks

1. #!/bin/bash
2.  
3. # Dont block Portuguese IPs
4. DNP='netvisao|netcabo|optimus|novis|telepac|vodafone|tvtel'
5.  
6. # Number of failed SSH log-in attempts
7. aTaks=40
8.  
9. BLKlist=/etc/network/blacklist.ips
10. IPrules=/etc/network/iptables.rules
11. LOGauth=/var/log/auth.log
12.  
13. # List of failed SSH log-in attempts
14. logFAIL=`grep "unix.sshd:auth.*fail" $LOGauth`
15.  
16.  
17. while read badIP; do
18.  
19.     grep -q "$badIP" $BLKlist && continue
20.    
21.     failN=$(echo "$logFAIL" | grep -c "$badIP")
22.  
23.     ((failN<aTaks)) && echo "$failN  $badIP" && continue
24.  
25.     DNpointer=$(host "$badIP" | sed -n 's/.*domain name pointer //p' | sed 's/\.$//')
26.    
27.     echo "$DNpointer" | egrep "($DNP).pt" && continue
28.  
29.     echo "$failN  $badIP  $DNpointer" | tee -a $BLKlist
30.    
31.     iptables -A INPUT -s $badIP -j DROP
32.    
33.     iptables-save > $IPrules
34.    
35. done < <(echo "$logFAIL" | sed 's/.* rhost=// ; s/ .*//' | awk '!x[$0]++')
36.  
37.  
38. # /etc/network/interfaces
39. # pre-up iptables-restore < /etc/network/iptables.rules
40. # post-down iptables-save > /etc/network/iptables.rules
41.  
42. # CHECK FOR DROPPED PACKETS
43. # iptables -L -vn