#!/bin/sh
# author: JS
# date: March 3, 2012
#
# Purpose: Comp 8006 Net Sec Admin II Assignment 3
# Lockout an IP based on failed login attempts
#
### user configuration ###
# log file to monitor
LOG=/var/log/auth.log
# number of failed login attempts
ATTEMPTS=1
# time in minutes (greater than 1 advised)
LOCKOUT=1
###########################
# iptables wrapper
IPT="sudo /sbin/iptables"
# extract IPs from the log file
IP=`awk '/Failed password for/ {print $(NF-3)}' $LOG | tail -10`
# sort the IPs
IP=$(echo "$IP"|sort)
# declare a placeholder variable
ipcompare="x"
# for each sorted IP
for ip in $IP
do
# if the IP is localhost then ignore
if [[ $ip = "::1" ]]; then
echo $ip > /dev/null
else
# if we have seen this IP in the loop
if [[ $ip = $ipcompare ]]; then
#count it
let "count += 1"
# if the count is gt or eq to our threshold then act
if [[ $count -ge $ATTEMPTS ]]; then
# insert a new rule
$IPT -I INPUT -s $ip -j DROP
# set the rule to expire after the configured length of time
echo "$IPT -D INPUT -s $ip -j DROP" | at now + $LOCKOUT minutes
fi
# if we have not seen the IP in the loop
else
# reset the count
count=0
# store the IP for comparison in the next loop
ipcompare=$ip
fi
fi
done
# show results
$IPT -L INPUT
echo
atq