25. February 2015 · Comments Off on Root Auth Monitor: iptables DROP evil networks · Categories: Linux, Linux Admin, Linux Scripts, Linux Security, Networking · Tags: , , , , ,

The following is an upstart script that monitors & blocks networks that fail to log into your Ubuntu server as root. Its great script to stop brute force logins to your server.

The following are a couple commands for reference:

Start/Stop the script…
start tty12
stop tty12

List INPUT rules w/line numbers…
iptables -L INPUT -n –line-numbers

Delete an INPUT rule by line number…
iptables -D INPUT 1

# /etc/init/tty12 - Root Auth Monitor: iptables DROP evil networks
# Required modifying/adding PermitRootLogin & AllowUsers to /etc/ssh/sshd_config
start on runlevel [23] and not-container
stop on runlevel [!23]
exec > /dev/tty12
tail -fn0 /var/log/auth.log | while read LINE
do echo "$LINE" | grep ": Failed password for invalid user root from"
 if [ $? = 0 ]
   whois -h whois.cymru.com " -p $(echo "$LINE" | awk '{print $13}')" | grep ^[0-9] | sed 's/ *| */|/g' |\
   while IFS="|" read AS IP PREFIX NAME
    do iptables -I INPUT -s $PREFIX -j DROP -m comment --comment "AS$AS: $NAME"
end script