denyhackers.py

If you have an internet host running Ubuntu, you might benefit from running this script every hour:

#!/usr/bin/python
"""denyhackers"""

def denyhackers():
    """denyhackers"""
    import re
    # read current block list
    denyhosts = '/etc/hosts.deny'
    existing = dict()
    with open(denyhosts, 'r') as dhfile:
        line = dhfile.readline()
        while line:
            line = dhfile.readline()
            match = re.search(r'ALL: (\S+)', line)
            if match:
                ipaddr = match.group(1)
                existing[ipaddr] = 1
    # look for new hosts to block
    authfile = '/var/log/auth.log'
    addblocklist = []
    with open(authfile, 'r') as affile:
        line = affile.readline()
        while line:
            line = affile.readline()
            match = re.search(r'Invalid user (\S+) from (\S+) port', line)
            if match:
                ipaddr = match.group(2)
                if ipaddr not in existing:
                    addblocklist.append(ipaddr)
                    existing[ipaddr] = 1
            else:
                match = re.search(r'authentication failure.* ruser=(\S+) rhost=(\S+)', line)
                if match:
                    ipaddr = match.group(2)
                    matchv4 = re.search(r'::ffff:(\S+)', ipaddr)
                    if matchv4:
                        ipaddr = matchv4.group(1)
                    if ipaddr not in existing:
                        addblocklist.append(ipaddr)
                        existing[ipaddr] = 1
    mailfile = '/var/log/mail.log'
    mailfail = r'postfix/smtpd[\d+]: warning: unknown[(\S+)]: SASL LOGIN authentication failed:'
    with open(mailfile, 'r') as mffile:
        line = mffile.readline()
        while line:
            line = mffile.readline()
            match = re.search(mailfail, line)
            if match:
                ipaddr = match.group(1)
                if ipaddr not in existing:
                    addblocklist.append(ipaddr)
                    existing[ipaddr] = 1
    ufwfile = '/var/log/ufw.log'
    with open(ufwfile, 'r') as ufwfile:
        line = ufwfile.readline()
        while line:
            line = ufwfile.readline()
            match = re.search(r'[UFW BLOCK] SRC=(\S+)', line)
            if match:
                ipaddr = match.group(1)
                if ipaddr not in existing:
                    addblocklist.append(ipaddr)
                    existing[ipaddr] = 1
    kernlog = '/var/log/kern.log'
    with open(kernlog, 'r') as kernfile:
        line = kernfile.readline()
        while line:
            line = kernfile.readline()
            match = re.search(r'[UFW BLOCK] .* SRC=(\S+)', line)
            if match:
                ipaddr = match.group(1)
                if ipaddr not in existing:
                    addblocklist.append(ipaddr)
                    existing[ipaddr] = 1
    # add new hosts to block
    with open('/etc/hosts.deny', 'a') as allow:
        for ipaddr in addblocklist:
            allow.write('ALL: ' + ipaddr + "\n")
            print 'adding ' + ipaddr

denyhackers()