Using linux lastb command, I found that my server is brute-force attacked from many different IPs around the world! I have developed an script to detect brute-force attackers by lastb and block them by iptables. Here is the script:
#!/bin/bash
cd /root/
windowSize=100
tresh=10
lastb | head -n $windowSize | awk '{print $3}' | uniq -c > .ips
nlines=`wc .ips -l | awk '{print $1}'`
END=`expr $nlines - 1 `
for i in `seq 0 $END`;
do
range=`expr $nlines - $i`
count=`tail .ips -n $range | head -n 1 | awk '{print $1}'`
if [ $count -gt $tresh ] ; then
IP=`tail .ips -n $range | head -n 1 | awk '{print $2}'`
if [ ! -z .blips ] ; then
touch .blips
fi ;
blocked=`cat .blips | grep $IP -c`
if [ $blocked = '0' ] ; then
echo blocking $IP
iptables -A INPUT -s $IP -j DROP
echo $IP >> .blips
fi ;
fi;
done
rm .ips
Can it cause any problem if I run this script by crond every hours?
Best Answer
Yes, you are not taking any measures to ensure that the IP addresses you connect to the system from are excluded so you could lock yourself out of the system.
A better solution is to install fail2ban which is widely used to do just what you are trying to do.