grep sshd.\*Failed /var/log/auth.log
To extract only the ip address and get a unique list of ips
grep sshd.\*Failed /var/log/auth.log | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq
To block the ip's that have failed the ssh logins using iptables
grep sshd.\*Failed /var/log/auth.log | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | while read ip ; do sudo iptables -A INPUT -s $ip -j DROP; done
running this command twice will create duplicates. Working on it to create it as a cron job,
No comments:
Post a Comment