Ubuntu UFW script to block failed auth attempts

I whipped this up (and it’s not sexy) to block failed authentication attempts on a few POSTFIX servers I manage.  I might use fail2ban if things get out of hand but currently the server just has UFW (Uncomplicated FireWall) that’s built into the Ubuntu OS.

#!/bin/bash

# Get all the authentication failures from the mail log file
cat /var/log/mail.log | grep “authentication failure” > /var/ftp/protect/badauth.txt
# Cuts the ‘[‘ section out with our hacker loser IP address in it
cat /var/ftp/protect/badauth.txt | cut -d'[‘ -f3 > /var/ftp/protect/clean1.txt
# Cuts the ‘]’ section out with our hacker loser IP address in it
cat /var/ftp/protect/clean1.txt| cut -d’]’ -f1 > /var/ftp/protect/final.txt
# Cleans the file so we have unique IP’s only
cat /var/ftp/protect/final.txt | awk ‘!seen[$0]++’ | sort -n > /var/ftp/protect/final2.txt
# final2 is the final clean file with unique IP’s in it
# Find networks and block networks
# Creates a blank routes.txt file so we always start fresh
echo ” > /var/ftp/protect/routes.txt
# Do a whois lookup on the route / CIDR addresses trying to hack the server
# This way we can block the NETWORK and not just the single IP address
for ip in $(cat /var/ftp/protect/final2.txt)
# The line directly below has been deprecated, it wasn’t working on every
# instance so I modified it to query arin.net who posts proper CIDR notations
# on their whois lookup records.
# do whois $ip | grep route: | cut -d’:’ -f2 >> /var/ftp/protect/routes.txt
do whois -h whois.arin.net $ip | grep CIDR | cut -d ‘:’ -f2 >> /var/ftp/protect/routes.txt
done
# Get rid of the wacky spaces that end up in this file
cat /var/ftp/protect/routes.txt | tr ‘[:space:]’ ‘[\n*]’ | sort -u > /var/ftp/protect/routes.final2.txt
# Now add each network we looked up to the UFW block list so it will block it
for block in $(cat /var/ftp/protect/routes.final2.txt)
# Note: Below is the old rule
# do ufw deny from $block
# Note: Below is the new rule noted below in my comments about updating this script syntax
do ufw insert 1 reject from $block
done

Make a directory in:  /var/ftp/protect

…that’s kind of my “working directory”.  Then create a file called “get.sh”.  Slap the above code into it.  Then modify a cron job to run it whenever you want:  crontab -e

I have mine running at 10pm once per day.  This should keep the honest people honest 😉

I’m certain since I’m not a programmer there is a more sophisticated way to code this but even shit code works if it works and this works!

The more you work on things (and hopefully progress) the better you get.

Note:  I updates this script a bit realizing you have to move your block / reject rule to the TOP of the UFW list.  I also chose to do the “reject” as that doesn’t seem to end up showing up in the log file.  If you use “block” it shows up in the log file.  The “block” mechanism can be a good troubleshooting tool BUT I don’t need it…REJECT BABY!

Reference:  https://askubuntu.com/questions/1007271/ip-blocked-in-ufw-yet-continue-to-see-failed-password-attempts-in-auth-log

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*