append to .htaccess file

[jriggs420]

I have a relatively small, but aggravating problem on my apache server. Some script kiddie somewhere keeps trying to telnet into my server with a very crude brute force prog. I see it in my auth.log file as

Jul 24 14:17:03 localhost sshd[4506]: Illegal user amanda from 218.202.223.244
Jul 24 14:17:05 localhost sshd[4510]: Illegal user rpm from 218.202.223.244
Jul 24 14:17:07 localhost sshd[4512]: Illegal user operator from 218.202.223.244
Jul 24 14:17:10 localhost sshd[4514]: Illegal user sgi from 218.202.223.244
Jul 24 14:17:15 localhost sshd[4518]: Illegal user users from 218.202.223.244
Jul 24 14:17:17 localhost sshd[4520]: Illegal user admins from 218.202.223.244
Jul 24 14:17:19 localhost sshd[4522]: Illegal user admins from 218.202.223.244
Jul 24 14:17:31 localhost sshd[4532]: Illegal user shutdown from 218.202.223.244
Jul 24 14:17:34 localhost sshd[4534]: Illegal user halt from 218.202.223.244
Jul 24 14:17:39 localhost sshd[4538]: Illegal user smmsp from 218.202.223.244

...and so on, the list must be enormous because this will continue until I add a 'deny from 123.123.12.12' from entry into the .htaccess file. The ip is always different.

I'm thinking about setting up a cron script to automatically add this line to my .htaccess file. That shouldn't be too hard. But before I proceed, I wanted to see if anyone had any thoughts, or a better way to address this. TIA-

Joe

Because a thing seems difficult for you, do not think it impossible for anyone to accomplish.
Marcus Aurelius

 

[KevinADC]

Maybe you can use allow from 'xxx.xxx.xxx.xxx' instead?

 

[NullTerminator]

check out his thread

http://www.linuxquestions.org/questions/showthread.php?t=340366

 

[Xaqte]

You might want to look at this module:

Apache::Htaccess

Let us know your results!

X

 

[jriggs420]

Thanks for the links guys. The module seemed a bit like overkill for what I was going for, but It's good to know about in case I ever get real creative with this. I was a slow day at work, so I went ahead and did the script I was talking about. I'd like to put it up here for any critiques you might have. As expected, it's pretty straight-forward

#!/usr/bin/perl -w

open (IN, "auth.log") || die;
@log=(<IN>);
close (IN);
           
        foreach $ln (@log){
             if($ln =~ /Illegal user/){
#dont know of any other errors
#that use this syntax, regex ok?
             $ln =~
/(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)/;
             if ($1){push @badip , $1 ;}
                                      }
                        }
               
                        undef %saw;#remove dups
                        undef @out;
                        @saw{@badip} = ();
                        @out = sort keys %saw;
        
open (IPLIST , "banned_ips") || warn 'banned_ips not found';
@onlist=(<IPLIST>);
close (IPLIST);

           chomp @out;
           chomp @onlist;

           @union = @intersection = @difference = ();
           %count = ();
           foreach $element (@out, @onlist) { $count{$element}++ }
           foreach $element (keys %count) {
               push @union, $element;
               push @{ $count{$element} > 1 ? \@intersection : \@difference }, $
 element; }

if (@difference){
open (BLOCK , ">>.htaccess") || die;
        for (@difference) {print BLOCK "deny from $_\n";}
open (IPLIST , ">>banned_ips") || die;
        for (@difference){print IPLIST "$_\n";}
close (IPLIST);
close (BLOCK);
                }
#print "@onlist\n";
#print "@out\n";

Works fine on my system, haven't had the chance to do much testing, but actual_results=expected_results, which is a start. This will probably be a cron script maybe every hour or so.

Couldn't think of an elegant way to get rid of the 'banned_ips' file. And the array difference part came straight from perldocs -q intersection. I welcome any suggestions, improvements, or gripes about this code. It's all about the learning process for me-

Because a thing seems difficult for you, do not think it impossible for anyone to accomplish.
Marcus Aurelius

 

[jrig]

Follow up:

So now I have a list of about 200 ips which are up to no good on the internet. I would like to report them to the proper ISP, but would rather not have to search them out manually (and maybe even send an Email>). Does anyone know of a script/app that can do this? I've not had any luck so far...