Using linux lastb command, I found that my server is brute-force attacked from many different IPs around the world! I have developed an script to detect brute-force attackers by lastb and block them by iptables. Here is the script:
#!/bin/bash
cd /root/
windowSize=100
tresh=10
lastb | head -n $windowSize | awk '{print $3}' | uniq -c > .ips
nlines=`wc .ips -l | awk '{print $1}'`
END=`expr $nlines - 1 `
for i in `seq 0 $END`;
do
range=`expr $nlines - $i`
count=`tail .ips -n $range | head -n 1 | awk '{print $1}'`
if [ $count -gt $tresh ] ; then
IP=`tail .ips -n $range | head -n 1 | awk '{print $2}'`
if [ ! -z .blips ] ; then
touch .blips
fi ;
blocked=`cat .blips | grep $IP -c`
if [ $blocked = '0' ] ; then
echo blocking $IP
iptables -A INPUT -s $IP -j DROP
echo $IP >> .blips
fi ;
fi;
done
rm .ips
Can it cause any problem if I run this script by crond every hours?
Yes, you are not taking any measures to ensure that the IP addresses you connect to the system from are excluded so you could lock yourself out of the system.
A better solution is to install fail2ban which is widely used to do just what you are trying to do.
The suggested solution is lacking (or smart) in the sense that it does not save IPTABLES so the changes made to IPTABLES will be lost on next boot.
You should save your blocked IPs by committing them: /sbin/service iptables save
CHANGE done /sbin/service iptables save rm .ips
On the other hand, since the system is an automation, maybe it is wise to only do the commit manually after seeing the changes in .blips
DenyHosts or Fail2ban will work better than most homemade custom scripts.
http://en.wikipedia.org/wiki/DenyHosts
http://en.wikipedia.org/wiki/Fail2ban