In order to thwart a persistent hacker I have developed a tcpdump command which prints failed authentications plus the preceding 4 lines to the console. Since sometimes I have to sleep, I would like to write a program to automatically add the IP to the firewall when the failed login is printed.
simplified example:
tcpdump [options] | grep [username] | perl -en [
isolate username using regex;
if username is the target username,
examine previous lines looping until IP is detected;
append properly formatted firewall command to firewall file;
run firewall file]
I've got the tcpdump and the grep working. I know enough about Perl to program this in a script file but the command line Perl has me stumped.
For what you're trying to do, I would suggest another route, and install a service such as denyhosts , which can detect repeated failed login attempts, log them, and automatically block them.
denyhosts is available from http://denyhosts.sourceforge.net - or is likely available on the repositories for your flavour of Linux.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.