25. February 2015 · Comments Off on Root Auth Monitor: iptables DROP evil networks · Categories: Linux, Linux Admin, Linux Scripts, Linux Security, Networking · Tags: , , , , ,

The following is an upstart script that monitors & blocks networks that fail to log into your Ubuntu server as root. Its great script to stop brute force logins to your server.

The following are a couple commands for reference:


Start/Stop the script…
start tty12
stop tty12

List INPUT rules w/line numbers…
iptables -L INPUT -n –line-numbers

Delete an INPUT rule by line number…
iptables -D INPUT 1

# /etc/init/tty12 - Root Auth Monitor: iptables DROP evil networks
# Required modifying/adding PermitRootLogin & AllowUsers to /etc/ssh/sshd_config
 
start on runlevel [23] and not-container
stop on runlevel [!23]
 
respawn
 
script
exec > /dev/tty12
tail -fn0 /var/log/auth.log | while read LINE
do echo "$LINE" | grep ": Failed password for invalid user root from"
 if [ $? = 0 ]
  then
   whois -h whois.cymru.com " -p $(echo "$LINE" | awk '{print $13}')" | grep ^[0-9] | sed 's/ *| */|/g' |\
   while IFS="|" read AS IP PREFIX NAME
    do iptables -I INPUT -s $PREFIX -j DROP -m comment --comment "AS$AS: $NAME"
   done
 fi
done
end script