<?php$whiteList = [];if (isset($argv[1])) banHammer($argv[1]);else {

1. <?php
2.  
3. $whiteList = [
4. ];
5.  
6. if (isset($argv[1])) banHammer($argv[1]);
7. else {
8.     while (1 == 1) {
9.         banHammer(100);
10.     }
11. }
12.  
13. function banHammer($lines) {
14.     global $whiteList;
15.     $ip_bans = [];
16. /*
17.     $wp_attacks = [];
18.     exec("cat /var/log/apache2/wordpress.access.log | tail -$lines", $wp_attacks);
19.     foreach ($wp_attacks as $wp_attack) {
20.         if (
21.             strpos($wp_attack, 'wp-login.php HTTP/1.1') !== false ||
22.             strpos($wp_attack, 'xmlrpc.php') !== false
23.         ) {
24.             preg_match('/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/', $wp_attack, $ip_match);
25.             if (!in_array($ip_match[0], $ip_bans)) {
26.                 $ip_bans[] = $ip_match[0];
27.             }
28.         }
29.     }
30. */
31.     $jctl = [];
32.     exec("journalctl | tail -$lines", $jctl);
33.     foreach ($jctl as $j) {
34.         if (
35.             strpos($j, 'Disconnected from invalid user') !== false ||
36.             strpos($j, 'Failed password for mysql') !== false ||
37.             strpos($j, 'error: maximum authentication attempts exceeded for makr from') !== false ||
38.             strpos($j, 'Failed password for root from') !== false
39.         ) {
40.             preg_match('/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/', $j, $ip_match);
41.             if (!in_array($ip_match[0], $ip_bans)) {
42.                 $ip_bans[] = $ip_match[0];
43.             }
44.         }
45.     }
46.  
47.     foreach ($ip_bans as $ban) {
48.         ob_start();
49.         system("ip route show $ban");
50.         $out = ob_get_clean();
51.         if (!in_array($ban, $whiteList) && $out == '') {
52.             system("ip route add prohibit $ban");
53.             echo date('Y-m-d H:i:s') . "\tbanned $ban\n";
54.         }
55.     }
56. }