# How to write a script to use IPFW to deny IPs automatically?



## meteor8488 (Oct 24, 2013)

Hi all,

Recently I found someone is trying to hack my web server. They are using sometools to guess the password of the users of my website.

I can use below script to find out the IP of the attacker:


```
more php.log | grep "member.php?mod=logging&action=login&loginsubmit=yes&infloat=yes&lssubmit=yes&inajax=1" | awk '{print $1}' | sort | uniq -c | sort -n
```

And the result is as following:


```
73 182.245.41.253
  74 115.53.48.116
  74 182.122.155.240
  76 182.122.137.185
  80 115.53.50.237
  80 42.238.64.112
  82 115.53.49.156
  84 115.53.50.60
  84 182.122.139.171
  84 182.122.146.145
  86 182.116.195.246
  86 182.122.140.58
  86 42.238.79.187
  87 222.141.227.187
  89 182.122.155.214
  90 182.122.130.113
  92 115.53.50.84
  92 42.238.77.31
  96 182.122.152.177
 100 115.53.48.244
 104 115.53.48.141
 106 182.116.201.129
 108 182.122.152.222
 108 182.122.155.75
 112 182.122.138.59
 112 182.122.141.67
 112 182.122.154.46
 114 182.122.137.78
 116 115.53.50.192
 118 182.122.156.171
 124 182.122.153.70
 130 182.122.143.25
 130 182.122.153.126
 136 182.116.206.125
 140 42.238.76.26
 142 222.141.227.15
 144 115.53.50.153
 144 182.116.195.176
 148 222.141.226.135
 150 42.238.68.141
 152 115.53.48.245
 154 182.116.203.35
 154 42.238.64.76
 158 182.116.195.189
 158 182.122.152.6
 162 182.116.195.130
 168 182.122.147.229
 169 182.122.152.59
 172 182.122.153.215
 174 182.122.139.63
 182 182.122.146.192
 184 182.122.157.206
 184 42.238.75.175
 202 182.122.154.206
 209 115.53.48.196
 212 182.122.153.114
 216 182.122.155.239
 226 115.53.48.41
 228 115.53.48.208
 244 222.141.226.6
 252 182.122.152.154
 254 115.53.51.97
 290 115.53.50.41
 388 182.116.200.47
 396 182.122.144.116
 404 42.238.79.23
```

There are too many IPs, it's hard for me to block them one by one. So I'm thinking maybe I can use a script to block these IPs. I can run the script every 30 minutes and block any IP which exceedes 20 attempts.

Because I'm not good at shell script, can anyone can help to create a script? And there are two options, I can use the script to block IPs via IPFW, or I can block IPs in nginx conf file, which one will be better?


----------



## SirDice (Oct 24, 2013)

Why re-invent the wheel? security/fail2ban


----------



## chatwizrd (Oct 24, 2013)

SirDice said:
			
		

> Why re-invent the wheel? security/fail2ban



Nope.

security/py-fail2ban


----------



## SirDice (Oct 24, 2013)

Oops. Typed it from the top of my head without verifying the link :r


----------



## RusDyr (Oct 31, 2013)

I'd recommend security/sshguard due to no Python dependency.


----------



## hshh (Nov 12, 2013)

Add a rule for you decide to ban IPs:

```
ipfw add deny ip4 from table(1) to me in via $ext_if
```

Pipe your IPs to insert into the IPFW table:

```
ipfw table 1 add $ip
```


----------



## cardiel (Dec 3, 2013)

*Re: how to write a script to use IPFW to deny ip automatical*

I had the same problem on one of my servers and I do the following to ban IPs from a file with IPFW.


```
ipfw -q add 00031 deny ip from "table(1)" to me
for IP in $( cat /etc/spammers ) ; do ipfw table 1 add $IP ; done
```


----------



## nesstyy (Jan 8, 2014)

*Re: How to write a script to use IPFW to deny IP automatical*

Good work here. Thanks.


----------

