Bash tips, tricks and code snippets

Bash oneliner to block script kiddies

The following checks the auth.log* files for any previously unknown (not yet blocked) IP addresses which have triggered a Bad protocol version identification entry and therefore probably undesirable.

The output can be used to add to the /etc/hosts.deny file:

(while read -r IP; do if grep -q $IP /etc/hosts.deny; then \
    echo $IP already denied; \
    else echo "echo 'ALL: $IP' | sudo tee -a /etc/hosts.deny"; \
    fi; done < <((while read -r line; do \
        echo $line | egrep -o 'from .+' | awk '{print $2}'; \
    done < <(zgrep 'Bad protocol version identification' \
        /var/log/auth.log*)) | sort -u) \
) |sort -u

might output something like this:

35.240.29.179 already denied
45.136.108.66 already denied
87.251.74.49 already denied
echo 'ALL: 194.61.26.6' | sudo tee -a /etc/hosts.deny
echo 'ALL: 35.246.245.31' | sudo tee -a /etc/hosts.deny
echo 'ALL: 45.136.108.23' | sudo tee -a /etc/hosts.deny
echo 'ALL: 45.141.87.4' | sudo tee -a /etc/hosts.deny
echo 'ALL: 45.143.200.16' | sudo tee -a /etc/hosts.deny
echo 'ALL: 5.188.206.46' | sudo tee -a /etc/hosts.deny
echo 'ALL: 79.124.62.54' | sudo tee -a /etc/hosts.deny
echo 'ALL: 81.91.177.88' | sudo tee -a /etc/hosts.deny

a blog of programming references, tips, tricks and descriptions of technical processes

Bash tips, tricks and code snippets

Bash oneliner to block script kiddies