davideaves.com

Live in a world of your own, but always welcome visitors.

View on GitHub
25 February 2015

Root Auth Monitor: iptables DROP evil networks

by deaves

The following is an upstart script that monitors & blocks networks that fail to log into your Ubuntu server as root. Its great script to stop brute force logins to your server.

The following are a couple commands for reference:

Start/Stop the script…

start tty12

stop tty12

List INPUT rules w/line numbers…

iptables -L INPUT -n -line-numbers

Delete an INPUT rule by line number…

iptables -D INPUT 1

# /etc/init/tty12 - Root Auth Monitor: iptables DROP evil networks
# Required modifying/adding PermitRootLogin & AllowUsers to /etc/ssh/sshd_config

start on runlevel [23] and not-container
stop on runlevel [!23]

respawn

script
exec > /dev/tty12
tail -fn0 /var/log/auth.log | while read LINE
do echo "$LINE" | grep ": Failed password for invalid user root from"
 if [ $? = 0 ]
  then
   whois -h whois.cymru.com " -p $(echo "$LINE" | awk '{print $13}')" | grep ^[0-9] | sed 's/ *| */|/g' |\
   while IFS="|" read AS IP PREFIX NAME
    do iptables -I INPUT -s $PREFIX -j DROP -m comment --comment "AS$AS: $NAME"
   done
 fi
done
end script
tags: auth - iptables - linux - monitor - root - security