#!/bin/ksh
#
# Script to scan logs for bad IP addresses
# Created by: greEd

NUM_TRIES=7

SSH_INVALID_USERS=`grep 'Invalid user' /var/log/authlog | awk '{ print $10 }' | sort -u`

for iu in $SSH_INVALID_USERS; do
   num=`grep $iu /var/log/authlog | wc -l`
   if [ $num -gt $NUM_TRIES ]; then
     echo "$iu" >> /var/tmp/invalid_users.list
   fi
done

cat /var/tmp/invalid_users.list | sort -u > /var/tmp/invalid_users.list

SSH_FAILED_PASSWORD=`grep 'Failed password for' /var/log/authlog | grep -v 'invalid user' | awk '{ print $11 }' | sort -u`

for fp in $SSH_FAILED_PASSWORD; do
   num=`grep $fp /var/log/authlog | wc -l`
   if [ $num -gt $NUM_TRIES ]; then
     echo "$fp" >> /var/tmp/failed_passwords.list
   fi
done

cat /var/tmp/failed_passwords.list | sort -u > /var/tmp/failed_passwords.list

cat /var/tmp/invalid_users.list /var/tmp/failed_passwords.list | sort -u > /var/tmp/blockers.list

pfctl -t kiddies -vTadd -f /var/tmp/blockers.list