#!/usr/local/bin/bash

MODE="AUTO"
#MODE="MANUAL"

if [ -f /var/log/auth.log ] ; then
   ips=$(cat /var/log/auth.log | grep -i illegal | grep -i sshd | awk -F" " {'print $15'})

   attempts=1

   for ip in $ips ; do

      lastip=$ip

      if [ "$lastip" == "$ip" ] ; then
         attempts=$(expr $attempts + 1)
         if [ $attempts -ge 3 ] ; then
            echo -n "Brute force SSHD ataque detectado vindo do ip $ip" > /dev/ttyv0
            attempts=1
            lastip=""
            blocked=$(ipfw list | grep $ip | grep deny)
                   if [ "$blocked" ] ; then
               echo -n "> Ip já bloqueado. Continuando com o scan" > /dev/ttyv0
               echo -n " " > /dev/ttyv0
            else
               if [ $MODE == "MANUAL" ] ; then
                  echo "> Você deseja bloquear este ip nas regras do IPFW? (y/n)"
                  read resp
                  if [ "$resp" == "y" ] ; then
                  /sbin/ipfw add deny ip from any to $ip
                  /sbin/ipfw add deny ip from $ip to any
                     echo "> IP $ip adicionado as regras de bloqueio"
                     echo " "
                  fi
               else
                  /sbin/ipfw add deny ip from any to $ip
                  /sbin/ipfw add deny ip from $ip to any

                  echo -n "> IP $ip adicionado as regras de bloqueio" > /dev/ttyv0
                  echo -n " " > /dev/ttyv0
                #echo $ip >> /var/log/ips
               fi
            fi
         fi
      fi

   done

fi