jwiegley / jw.firewall
watch download tarball
public
Forks0Right
Watchers1Right
Description: A rigorous set of firewall scripts for BSD ipfw, and Linux iptables
Homepage:
Clone URL: git://github.com/jwiegley/jw.firewall.git
jw.firewall / hackscan
100755 51 lines (42 sloc) 1.336 kb
raw blame history 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

#!/usr/bin/env python
 
import sys
import re
import os
 
banned = {}
counts = {}
 
fd = os.popen('/sbin/ipfw -q show 5')
for line in fd:
    match = re.search('deny tcp from (.+?) to any', line)
    if match and not banned.has_key(match.group(1)):
        banned[match.group(1)] = True
fd.close()
 
def ban(host, port):
    if host != '?':
        os.system('/sbin/ipfw -q add 5 deny tcp from %s to any %s in via %s' %
                  (host, port, sys.argv[1]))
 
def check_host(host, port):
    if not counts.has_key(host):
        counts[host] = 1
    elif counts[host] >= 5:
        if not banned.has_key(host):
            dns   = os.popen('/usr/bin/host %s' % host)
            line  = dns.readline()
            match = re.search('has address (.+)', line[:-1])
            if not match or not banned.has_key(match.group(1)):
                if match:
                    banned[match.group(1)] = True
                ban(host, port)
            banned[host] = True
    else:
        counts[host] += 1
 
fd = open(sys.argv[2])
for line in fd:
    match = re.search('sshd.+?: Invalid user .+? from (.+)', line)
    if match:
        check_host(match.group(1), 22)
        continue
 
    match = re.search('ftpd.+?: FTP LOGIN FAILED FROM (.+?), .+', line)
    if match:
        check_host(match.group(1), 21)
        continue
 
fd.close()