Blocking IPs from the FW [was RE: spamassassin question [with blacklist question]]

Brian Densmore DensmoreB at ctbsonline.com
Tue Oct 26 10:46:35 CDT 2004


By the way, anyone have a take on what kind of performance
hit this will take on a server? So far I have 22 addresses
or address ranges blocked in my blacklist. And is there a 
better way? Most of the attempts have been to try to gain
root access via ssh, which root isn't allowed to ssh anyway,
so this would always fail. Some are for non-existent users.

Brian Densmore

> -----Original Message-----
> From: Brian Densmore 
> 
> Well you were right about sed. Not something I could do with sed. 
> I wound up using awk, and temporarily putting the addresses 
> in a separate file
> until I feel comfortable it won't jack up my firewall.
> 
> #!/bin/sh
> 
> # list of ip address to allow always
> MYIP=yyy.yyy.yyy.yyy
> MYIP2=xxx.xxx.xxx.xxx
> 
> # name of logfile to scan - need to variablize so I can call 
> it with an alternate
> # logfile and default to this 
> lfl=/var/log/auth.log
> 
> # ugly all on one line, but it works
> cat $lfl | grep -i failed\ password | awk '{ print $11 }' 
> |uniq | grep -v $MYIP | grep -v $MYIP2 >> /etc/illegalips.txt
> 
> # still to do add commands to extract ips from above file
> # and add to actual blacklist and call firewall restart
> 
> 
> > http://kclug.org/mailman/listinfo/kclug
> > 
> _______________________________________________
> Kclug mailing list
> Kclug at kclug.org
> http://kclug.org/mailman/listinfo/kclug
> 


More information about the Kclug mailing list