The /var/log/secure contains a record of authentication and authorization activity on the system. It can be an invaluable resource for the purposes of intrusion detection and prevention. Below are a few simple examples that show how /var/log/secure can be used to identify and block potential intruders.

The following command will extract a list of IPs behind more than ten failed login attempts:

for ip in `egrep "[Illegal|Invalid] user" /var/log/secure | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort -u` ; do echo -e "${ip}\t`grep -wc ${ip} /var/log/secure`"; done | sort -rn -k2 | awk '$2>10'

Using “zegrep” and “/var/log/secure*” will search through all rotated/compressed instances of the /var/log/secure file:

for ip in `zegrep "[Illegal|Invalid] user" /var/log/secure* | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort -u` ; do echo -e "${ip}\t`grep -wc ${ip} /var/log/secure`"; done | sort -rn -k2 | awk '$2>10'

The example below will show you the countries associated with the offending IPs. You will need to install the GeoIP package (current version is GeoIP-1.5.1-5.el6.x86_64):

for ip in `zegrep "[Illegal|Invalid] user" /var/log/secure* | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort -u` ; do echo -e "${ip}\t`grep -wc ${ip} /var/log/secure`"; done | sort -rn -k2 | awk '$2>10' | while read ip n ; do echo -e "${ip}\t`geoiplookup ${ip} | grep Country | grep -woE [A-Z]{2}, | sed 's/,//g'`\t${n}" ; done

Sample output:

62.2.85.57      CH      91
81.30.158.183   DE      83
8.254.73.28     US      80
91.194.84.124   DE      50
95.128.184.62   MK      42

You can use iptables firewall to automatically block the offending IP addresses. The command below will make sure no duplicate rules are created:

for ip in `zegrep "[Illegal|Invalid] user" /var/log/secure* | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort -u` ; do echo -e "${ip}\t`grep -wc ${ip} /var/log/secure`"; done | sort -rn -k2 | awk '$2>10' | while read ip n ; do echo -e "${ip}\t`geoiplookup ${ip} | grep Country | grep -woE [A-Z]{2}, | sed 's/,//g'`\t${n}" ; done | while read ip c n ; do if [ `/sbin/iptables -S | grep -c "${ip}.*DROP"` -eq 0 ] ; then echo "Banning ${ip} from ${c} after ${n} failed login attempts" ; /sbin/iptables -A INPUT -s ${ip} -j DROP ; fi ; done ; /sbin/service iptables save

Sample output:

Banning 62.2.85.57 from CH after 91 failed login attempts
Banning 81.30.158.183 from DE after 83 failed login attempts
Banning 8.254.73.28 from US after 80 failed login attempts
Banning 91.194.84.124 from DE after 50 failed login attempts
Banning 95.128.184.62 from MK after 42 failed login attempts

Finally, it may be a good idea to exclude your server’s subnet from this process lest you accidentally ban yourself:

for ip in `zegrep "[Illegal|Invalid] user" /var/log/secure* | grep -Eo "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort -u` ; do echo -e "${ip}\t`grep -wc ${ip} /var/log/secure`"; done | sort -rn -k2 | awk '$2>10' | while read ip n ; do echo -e "${ip}\t`geoiplookup ${ip} | grep Country | grep -woE [A-Z]{2}, | sed 's/,//g'`\t${n}" ; done | egrep -v "^`/sbin/ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*//p' | cut -d. -f1-3`" | while read ip c n ; do if [ `/sbin/iptables -S | grep -c "${ip}.*DROP"` -eq 0 ] ; then echo "Banning ${ip} from ${c} after ${n} failed login attempts" ; /sbin/iptables -A INPUT -s ${ip} -j DROP ; fi ; done ; /sbin/service iptables save

I hope you find this useful.