Processing btmp with PHP for iptables


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
Processing btmp with PHP for iptables

On linux, lastb is the same as last, except that by default lastb shows a log of the /var/log/btmp file, which contains all the bad login attempts.

This file grows large quickly (sometimes over 100K entries or more in a day) with the constant brute force login attempts, especially by IP addresses from China, but they can be from anywhere.

Today, I wrote this quick PHP file for cron to save me time doing the analysis and creating a file to block these hacking IP nets:

Code:
<?php
$myfile = '/var/log/apache2/cronblocklogs.txt';
$limit = 9;  // will make this a bit larger later
$output = shell_exec('lastb | sort -k 3');
$ipsn[] = '0.0.0.0';
if (file_exists($myfile)) {
    $listnow = file_get_contents($myfile);

    foreach (preg_split("/((\r?\n)|(\r\n?))/", $listnow) as $line) {
        if ($line) {
            $array = preg_split('/\s+/', $line);
            $cidr = preg_split("/\//", $array[4]);
            $ipsn[] = $cidr[0];
            // echo $cidr[0]."\n";
        }
    }
}
foreach (preg_split("/((\r?\n)|(\r\n?))/", $output) as $line) {
    if ($line && strpos($line, 'begin') === false) {
        $array = preg_split('/\s+/', $line);
        $ips[] = $array[2];
    }
}
$unique = array_count_values($ips);
$blocklist = '';
foreach ($unique as $ip => $count) {
    if (in_array($ip, $ipsn)) {
        continue;
    }

    $who = shell_exec('whois ' . $ip);
    $country = '';
    $descr = '';
    //echo $who;
    foreach (preg_split("/((\r?\n)|(\r\n?))/", $who) as $string) {
        if (stripos($string, 'Country:') !== false && $country == '') {
            $stuff = preg_split('/\s+/', $string);
            $country = $stuff[1];
        }
        if (stripos($string, 'netname:') !== false && $descr == '') {
            $stuff = preg_split('/\s+/', $string);
            $descr = $stuff[1];
        }
    }
    if ($count > $limit) {
        $blocklist .= 'iptables -A INPUT -s ' . $ip . '/24  -j DROP #  btmp count ' . $count . ' Country: ' . $country . ' desc ' . $descr . "\n";
    }
}
if (strlen($blocklist) > 10) {
    $myfile = file_put_contents($myfile, $blocklist . PHP_EOL, FILE_APPEND | LOCK_EX);
 //  echo $blocklist;
}

This PHP file reads the existing blockfile (in this case 'cronblocklogs.txt') and the btmp file. Then checks if any IP address in the btmp file has more than some limit (in this case 10) and if it does not already have an entry in the blockfile, adds it and blocks the IP /24. It also does a whois on the IP address and extracts some strings for reference.

It's not very fancy, but it is helpful.

I know there are other ways and packages to do similar things, but sometimes I like to write my own scripts so I have control over what is happening... and do it myyyyyy wayyyyy Smilie

Sample input:

Code:
$ lastb
admin    ssh:notty    31.18.163.6      Mon Dec 24 01:07 - 01:07  (00:00)
admin    ssh:notty    31.18.163.6      Mon Dec 24 01:07 - 01:07  (00:00)
admin    ssh:notty    31.18.163.6      Mon Dec 24 01:07 - 01:07  (00:00)
admin    ssh:notty    31.18.163.6      Mon Dec 24 01:06 - 01:06  (00:00)
admin    ssh:notty    31.18.163.6      Mon Dec 24 01:06 - 01:06  (00:00)
admin    ssh:notty    31.18.163.6      Mon Dec 24 01:06 - 01:06  (00:00)
admin    ssh:notty    31.18.163.6      Mon Dec 24 01:06 - 01:06  (00:00)
root     ssh:notty    58.228.163.14    Mon Dec 24 00:49 - 00:49  (00:00)
root     ssh:notty    58.228.163.14    Mon Dec 24 00:49 - 00:49  (00:00)
root     ssh:notty    58.228.163.14    Mon Dec 24 00:49 - 00:49  (00:00)
root     ssh:notty    58.228.163.14    Mon Dec 24 00:49 - 00:49  (00:00)
root     ssh:notty    58.228.163.14    Mon Dec 24 00:49 - 00:49  (00:00)
root     ssh:notty    58.228.163.14    Mon Dec 24 00:49 - 00:49  (00:00)
sdtd     ssh:notty    219.93.20.155    Mon Dec 24 00:21 - 00:21  (00:00)
sdtd     ssh:notty    219.93.20.155    Mon Dec 24 00:21 - 00:21  (00:00)
xxx      ssh:notty    219.93.20.155    Mon Dec 24 00:17 - 00:17  (00:00)
xxx      ssh:notty    219.93.20.155    Mon Dec 24 00:17 - 00:17  (00:00)
testuser ssh:notty    219.93.20.155    Mon Dec 24 00:13 - 00:13  (00:00)
testuser ssh:notty    219.93.20.155    Mon Dec 24 00:13 - 00:13  (00:00)
uftp     ssh:notty    210.129.184.15   Mon Dec 24 00:13 - 00:13  (00:00)
uftp     ssh:notty    210.129.184.15   Mon Dec 24 00:13 - 00:13  (00:00)
git      ssh:notty    210.129.184.15   Mon Dec 24 00:09 - 00:09  (00:00)
git      ssh:notty    210.129.184.15   Mon Dec 24 00:09 - 00:09  (00:00)
gerrit2  ssh:notty    219.93.20.155    Mon Dec 24 00:07 - 00:07  (00:00)
gerrit2  ssh:notty    219.93.20.155    Mon Dec 24 00:07 - 00:07  (00:00)
test     ssh:notty    210.129.184.15   Mon Dec 24 00:06 - 00:06  (00:00)
test     ssh:notty    210.129.184.15   Mon Dec 24 00:06 - 00:06  (00:00)
eagle    ssh:notty    219.93.20.155    Mon Dec 24 00:03 - 00:03  (00:00)
eagle    ssh:notty    219.93.20.155    Mon Dec 24 00:03 - 00:03  (00:00)
zi       ssh:notty    210.129.184.15   Mon Dec 24 00:02 - 00:02  (00:00)
zi       ssh:notty    210.129.184.15   Mon Dec 24 00:02 - 00:02  (00:00)
admin    ssh:notty    180.156.142.30   Sun Dec 23 23:50 - 23:50  (00:00)
admin    ssh:notty    180.156.142.30   Sun Dec 23 23:50 - 23:50  (00:00)
admin    ssh:notty    180.156.142.30   Sun Dec 23 23:50 - 23:50  (00:00)
admin    ssh:notty    180.156.142.30   Sun Dec 23 23:50 - 23:50  (00:00)
admin    ssh:notty    180.156.142.30   Sun Dec 23 23:50 - 23:50  (00:00)
admin    ssh:notty    180.156.142.30   Sun Dec 23 23:50 - 23:50  (00:00)
admin    ssh:notty    180.156.142.30   Sun Dec 23 23:50 - 23:50  (00:00)
admin    ssh:notty    5.101.40.81      Sun Dec 23 23:49 - 23:49  (00:00)
admin    ssh:notty    5.101.40.81      Sun Dec 23 23:49 - 23:49  (00:00)
testuser ssh:notty    103.9.159.59     Sun Dec 23 23:40 - 23:40  (00:00)
testuser ssh:notty    103.9.159.59     Sun Dec 23 23:40 - 23:40  (00:00)
admin    ssh:notty    219.156.118.112  Sun Dec 23 23:39 - 23:39  (00:00)
admin    ssh:notty    219.156.118.112  Sun Dec 23 23:39 - 23:39  (00:00)
admin    ssh:notty    219.156.118.112  Sun Dec 23 23:39 - 23:39  (00:00)
admin    ssh:notty    219.156.118.112  Sun Dec 23 23:39 - 23:39  (00:00)
admin    ssh:notty    219.156.118.112  Sun Dec 23 23:39 - 23:39  (00:00)
admin    ssh:notty    219.156.118.112  Sun Dec 23 23:39 - 23:39  (00:00)
admin    ssh:notty    219.156.118.112  Sun Dec 23 23:39 - 23:39  (00:00)
user0    ssh:notty    206.189.147.136  Sun Dec 23 23:37 - 23:37  (00:00)
user0    ssh:notty    206.189.147.136  Sun Dec 23 23:37 - 23:37  (00:00)
iw       ssh:notty    103.9.159.59     Sun Dec 23 23:36 - 23:36  (00:00)
iw       ssh:notty    103.9.159.59     Sun Dec 23 23:36 - 23:36  (00:00)
marcus   ssh:notty    206.189.147.136  Sun Dec 23 23:32 - 23:32  (00:00)
marcus   ssh:notty    206.189.147.136  Sun Dec 23 23:32 - 23:32  (00:00)
king     ssh:notty    103.9.159.59     Sun Dec 23 23:31 - 23:31  (00:00)
king     ssh:notty    103.9.159.59     Sun Dec 23 23:31 - 23:31  (00:00)
hc       ssh:notty    211.159.178.221  Sun Dec 23 23:30 - 23:30  (00:00)
hc       ssh:notty    211.159.178.221  Sun Dec 23 23:30 - 23:30  (00:00)
gpadmin  ssh:notty    206.189.147.136  Sun Dec 23 23:28 - 23:28  (00:00)
gpadmin  ssh:notty    206.189.147.136  Sun Dec 23 23:28 - 23:28  (00:00)
ts3      ssh:notty    211.159.178.221  Sun Dec 23 23:28 - 23:28  (00:00)
ts3      ssh:notty    211.159.178.221  Sun Dec 23 23:27 - 23:27  (00:00)
srvback  ssh:notty    103.9.159.59     Sun Dec 23 23:27 - 23:27  (00:00)
srvback  ssh:notty    103.9.159.59     Sun Dec 23 23:27 - 23:27  (00:00)
vps      ssh:notty    130.105.68.200   Sun Dec 23 23:26 - 23:26  (00:00)
vps      ssh:notty    130.105.68.200   Sun Dec 23 23:26 - 23:26  (00:00)
mysql    ssh:notty    206.189.147.136  Sun Dec 23 23:24 - 23:24  (00:00)
sahil    ssh:notty    130.105.68.200   Sun Dec 23 23:23 - 23:23  (00:00)
sahil    ssh:notty    130.105.68.200   Sun Dec 23 23:23 - 23:23  (00:00)
backup   ssh:notty    103.9.159.59     Sun Dec 23 23:22 - 23:22  (00:00)
user     ssh:notty    206.189.147.136  Sun Dec 23 23:20 - 23:20  (00:00)
user     ssh:notty    206.189.147.136  Sun Dec 23 23:20 - 23:20  (00:00)
qu       ssh:notty    130.105.68.200   Sun Dec 23 23:19 - 23:19  (00:00)
qu       ssh:notty    130.105.68.200   Sun Dec 23 23:19 - 23:19  (00:00)
mysql    ssh:notty    139.59.65.128    Sun Dec 23 23:17 - 23:17  (00:00)
roger    ssh:notty    130.105.68.200   Sun Dec 23 23:16 - 23:16  (00:00)
roger    ssh:notty    130.105.68.200   Sun Dec 23 23:16 - 23:16  (00:00)
uftp     ssh:notty    164.67.103.34    Sun Dec 23 23:16 - 23:16  (00:00)
uftp     ssh:notty    164.67.103.34    Sun Dec 23 23:16 - 23:16  (00:00)
boat     ssh:notty    139.59.65.128    Sun Dec 23 23:13 - 23:13  (00:00)
boat     ssh:notty    139.59.65.128    Sun Dec 23 23:12 - 23:12  (00:00)
admin    ssh:notty    130.105.68.200   Sun Dec 23 23:12 - 23:12  (00:00)
admin    ssh:notty    130.105.68.200   Sun Dec 23 23:12 - 23:12  (00:00)
io       ssh:notty    164.67.103.34    Sun Dec 23 23:12 - 23:12  (00:00)
io       ssh:notty    164.67.103.34    Sun Dec 23 23:12 - 23:12  (00:00)
celia    ssh:notty    139.59.65.128    Sun Dec 23 23:09 - 23:09  (00:00)
celia    ssh:notty    139.59.65.128    Sun Dec 23 23:09 - 23:09  (00:00)
rs       ssh:notty    164.67.103.34    Sun Dec 23 23:08 - 23:08  (00:00)
rs       ssh:notty    164.67.103.34    Sun Dec 23 23:08 - 23:08  (00:00)
ramon    ssh:notty    139.59.65.128    Sun Dec 23 23:05 - 23:05  (00:00)
ramon    ssh:notty    139.59.65.128    Sun Dec 23 23:05 - 23:05  (00:00)
ralph    ssh:notty    164.67.103.34    Sun Dec 23 23:05 - 23:05  (00:00)
ralph    ssh:notty    164.67.103.34    Sun Dec 23 23:05 - 23:05  (00:00)
nagios   ssh:notty    164.67.103.34    Sun Dec 23 23:01 - 23:01  (00:00)
nagios   ssh:notty    164.67.103.34    Sun Dec 23 23:01 - 23:01  (00:00)
demo     ssh:notty    139.59.65.128    Sun Dec 23 23:01 - 23:01  (00:00)
demo     ssh:notty    139.59.65.128    Sun Dec 23 23:01 - 23:01  (00:00)

btmp begins Sun Dec 23 23:01:06 2018

Sample Output:

Code:
$ rm cronblocklogs.txt
$ php plastb.php
iptables -A INPUT -s 130.105.68.200/24  -j DROP #  btmp count 10 Country: AU desc APNIC
iptables -A INPUT -s 164.67.103.34/24  -j DROP #  btmp count 10 Country: US desc UCLANET3
iptables -A INPUT -s 219.93.20.155/24  -j DROP #  btmp count 10 Country: MY desc IKIPEDU-TMNET

Also, the file:

Code:
$ cat cronblocklogs.txt
iptables -A INPUT -s 130.105.68.200/24  -j DROP #  btmp count 10 Country: AU desc APNIC
iptables -A INPUT -s 164.67.103.34/24  -j DROP #  btmp count 10 Country: US desc UCLANET3
iptables -A INPUT -s 219.93.20.155/24  -j DROP #  btmp count 10 Country: MY desc IKIPEDU-TMNET

Normally I will apply this manually after reviewing the file and not automatically, as I like keeping the "human in the loop" in these kinds of tasks.

The crontab entry is also pretty simple, running every 30 minutes at the moment:

Code:
*/30 * * * * /usr/bin/nice -n 19 php /usr/local/bin/plastb.php > /dev/null 2>&1

# 2  
Here is the current file created from our little PHP program to process btmp. Note how much brute-force activity is from China.... Smilie

Code:
www:~/logs$ cat btmp_block_logs.txt
iptables -A INPUT -s 111.9.9.193/24  -j DROP #  btmp count 87 Country: CN desc CMNET
iptables -A INPUT -s 113.10.156.129/24  -j DROP #  btmp count 45 Country: HK desc NWTiDC-HK
iptables -A INPUT -s 125.4.193.107/24  -j DROP #  btmp count 39 Country: JP desc JCN
iptables -A INPUT -s 149.56.10.119/24  -j DROP #  btmp count 28 Country: UA desc OVH-CUST-5024201
iptables -A INPUT -s 150.109.48.10/24  -j DROP #  btmp count 30 Country: SG desc ACEVILLEPTELTD-SG
iptables -A INPUT -s 177.11.121.15/24  -j DROP #  btmp count 35 Country:  desc 
iptables -A INPUT -s 185.139.21.20/24  -j DROP #  btmp count 28 Country: FR desc FR-AGORAVITA-20160216
iptables -A INPUT -s 187.188.191.39/24  -j DROP #  btmp count 29 Country: MX desc 
iptables -A INPUT -s 193.112.98.66/24  -j DROP #  btmp count 62 Country: EU desc NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK
iptables -A INPUT -s 218.92.1.190/24  -j DROP #  btmp count 7302 Country: CN desc CHINANET-JS
iptables -A INPUT -s 220.249.112.225/24  -j DROP #  btmp count 28 Country: CN desc Wuhan-University
iptables -A INPUT -s 43.231.184.203/24  -j DROP #  btmp count 61 Country: HK desc ANCHGLOBAL-HK
iptables -A INPUT -s 58.16.251.128/24  -j DROP #  btmp count 87 Country: CN desc GuiYang-Communications-administration
iptables -A INPUT -s 58.250.79.7/24  -j DROP #  btmp count 26 Country: CN desc UNICOM-GD
iptables -A INPUT -s 60.12.13.98/24  -j DROP #  btmp count 51 Country: CN desc UNICOM-ZJ
iptables -A INPUT -s 61.220.207.241/24  -j DROP #  btmp count 28 Country: TW desc HINET-NET
iptables -A INPUT -s 66.135.33.133/24  -j DROP #  btmp count 323 Country: US desc SERVER-ALLOC-1
iptables -A INPUT -s 77.249.249.244/24  -j DROP #  btmp count 39 Country: NL desc UPC-NL
iptables -A INPUT -s 83.244.80.102/24  -j DROP #  btmp count 73 Country: PS desc CALL-U-INTERNET-SERVICE-PROVIDER

Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

7 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

File Processing

Hi ALL, I have below file generated as o/p after my java code runs, Student Id 22552530 Below is the size (22ms, 835 bytes Student Id 2124592 Below is the size (55ms, 703 bytes Student Id 23903104 Below is the size (46ms, 24333 bytes Student Id 23903104 Below is the size (61ms, 24333... (3 Replies)
Discussion started by: nikhil jain
3 Replies

2. Shell Programming and Scripting

Parallel processing

I have 10,000 + files, each of which I need to zip using bzip2. Is ti possible to use bash to create 8 parallel streams sending a new file to be processed from the list when one of the others has finished? (1 Reply)
Discussion started by: garethsays
1 Replies

3. Fedora

/var/log/btmp size 2.2Gb daily

Hello, One Fedora server is facing the issue that daily /var/log/btmp grows to 2.2Gb or more. I need your help to determine the cause and isolate it. Thank you! (6 Replies)
Discussion started by: feroccimx
6 Replies

4. Programming

awk processing / Shell Script Processing to remove columns text file

Hello, I extracted a list of files in a directory with the command ls . However this is not my computer, so the ls functionality has been revamped so that it gives the filesizes in front like this : This is the output of ls command : I stored the output in a file filelist 1.1M... (5 Replies)
Discussion started by: ajayram
5 Replies

5. Shell Programming and Scripting

How to make parallel processing rather than serial processing ??

Hello everybody, I have a little problem with one of my program. I made a plugin for collectd (a stats collector for my servers) but I have a problem to make it run in parallel. My program gathers stats from logs, so it needs to run in background waiting for any new lines added in the log... (0 Replies)
Discussion started by: Samb95
0 Replies

6. What is on Your Mind?

Linux Centos 5.4 BTMP file size

Dear fellows, I have Centos 5.4 linux with DNS server, all logs are normal, in my /var/log/ btmp files is getting larger day by day. What is this btmp file for? How can i reduce the file siez or control file size. Waiting. MAZ (1 Reply)
Discussion started by: maz
1 Replies

7. Shell Programming and Scripting

parallel processing

hi i am preparing a set of batches for a set of files sequentially There is a folder /xyz where all the files reside now all the files starting with 01 - will be appended for one below other to form a batch batch01 then all the files starting with 02 - will be appended for one below other to... (7 Replies)
Discussion started by: mad_man12
7 Replies

Featured Tech Videos