Depends;
geoip-bin
ipcalc
whois (not sure if that's standard.)
So I was getting abit fed up with this:
So I wrote this little scratty script.fail2ban wrote:2014-07-17 07:48:41,163 fail2ban.actions: WARNING [ssh] Ban 222.186.34.116
2014-07-17 07:49:14,292 fail2ban.actions: WARNING [ssh] Ban 212.65.7.142
2014-07-17 08:01:19,117 fail2ban.actions: WARNING [ssh] Ban 183.57.57.161
2014-07-17 08:09:37,681 fail2ban.actions: WARNING [ssh] Ban 61.144.43.235
Actually written as a two parter, my colleague said he was going to do the script finding the bad ip.
has input piped to it, hopefully from this other script.
Code: Select all
echo cra.ppy.CN.ip | ./ipkill
Code: Select all
bin/ipkill <<< 183.57.57.163
Code: Select all
#!/bin/bash
## ipkill -
## Subnet killer
read IP
echo "This IP is reportedly from:`geoiplookup $IP | cut -d "," -f 2`!"
WHODAT=`whois $IP`
RANGE=`echo "$WHODAT" | grep inetnum: | cut -d ':' -f 2`
echo $RANGE
KILZN=`ipcalc $RANGE | tail -n 1`
echo "Last chance to hit Ctrl-C before I kill "$KILZN"?"
sleep 3s
route add -net $KILZN gw 127.0.0.1
echo "$KILZN null-routed."
- Comments:
- Tried to put a confirmation on there; failed. So just paused it (once I know it's from China or Ukraine it's a done deal anyway - sorry to 1/3 the population of the world)
- Might be nicer/neater way to pull the info, `cut` seems easier to use than awk here.
- No error checking or anything like that.
- I should work on the antidote script too 8)
- perhaps might have to work on doing multiple entries, or a list in a file anyway.