#!/bin/bash
#This is a script that will take all IP address with over 30 failed login attempts in /var/log/auth.log and add them to IP tables to drop all packets from that IP.  It checks to see if the address has already been added to iptables as well, if it has it does not add it.

#Finds IP's that have failed password more than 30 times and writes to a file /root/badiptemp
AUTH=$(awk -F'from | port....' '/Failed password/{printf $2 "\n" }' /var/log/auth.log | sort -ub)
for ip in $AUTH ; do 
	HOWMANY=$(cat /var/log/auth.log | grep -c $ip)
	if [ "$HOWMANY" -gt "30" ]; then
		echo $ip >> /root/badiptemp
	fi
done

#Additional IP Address list
cat /root/addmore >> /root/badiptemp
cat /root/.lastipdrop >> /root/badiptemp

#Sorts and makes sure IP's are only in list once
cat /root/badiptemp | sort -ub > /root/badip
rm /root/badiptemp

#Gets a list of all current DROP iptable entries
/sbin/iptables -nL | awk '/DROP/{print $4}' > /root/currentlyblocked

#Checks if the ip already exists as DROP in iptables, if not it adds a new one, echo's results for each IP.
NEWBADIP=$(cat /root/badip)
for ip2 in $NEWBADIP ; do
	USED=$(cat /root/currentlyblocked | grep -c $ip2)
	if [ "$USED" -gt "0" ]; then
		echo "$ip2 ALREADY IN IPTABLES DROP"
	else
		echo "$ip2 BEING ADDED TO IPTABLES DROP"
		/sbin/iptables -I INPUT -i eth0 -s $ip2 -d 0.0.0.0/0 -j DROP
	fi
done

#Removes temp files no longer needed
rm /root/currentlyblocked
rm /root/badip

#Creates a backup when done of the IPTABLES drop list.
TIME=$(date | awk '{print $2"_"$3"_"$4"_"$6}')
/sbin/iptables -nL | awk '/DROP/{print $4}' | sed -e '1i\ ' | sed -e "2i\\$TIME" >> /root/.ipdroplist

#Creates a list of only the last IPTables backup, this way if IPTables get's cleared the IPs can be added again next time this script is run.
/sbin/iptables -nL | awk '/DROP/{print $4}' > /root/.lastipdrop