#!/usr/bin/env python
# -*- coding: UTF-8 -*-
"""Script has to bee run as root
start it when you see lot of things like this in your syslog

Jul 12 16:22:43 databassen sshd[27827]: Did not receive identification string from ::ffff:83.133.126.184
Jul  9 23:58:58 databassen sshd[7318]: Invalid user jabber from ::ffff:207.249.175.238
Aug 23 22:48:02 databassen pure-ftpd: (?@61.178.83.89) [WARNING] Authentication failed for user [admin]
Aug 23 22:48:18 databassen pure-ftpd: (?@61.178.83.89) [ERROR] Too many authentication failures
Aug 30 08:46:17 databassen lwresd[6336]: unexpected RCODE (SERVFAIL) resolving '29.246.73.212.in-addr.arpa/PTR/IN': 193.162.153.164#53

Script check syslog and find the ip's who try to connect
and put those ips in hosts.deny
Valid users could make a mistake and end up in deny-file
  Solution: Frindly list vith their ip's , so they always can connect

todo 
1. If someone decide a bruteforce-attack via
   TOT (network off  open  proxy's) they can
   explode  hosts.deny 
   Solution: If hosts.deny get to big , script should
            shutdown ssh and ftpd

PS just tested on suse 9.3
licence: GPL
"""
import os
import time
import sys
import getopt

HEADER = """# /etc/hosts.deny
# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow
# for a detailed description.

http-rman : ALL EXCEPT LOCAL
"""
def stop_sshd_intruders(file="/var/log/messages",deny_file="/etc/hosts.deny"):
    f = open(file,"r")
    hostile_ip = {'80.69.76.185':'80.69.76.185'}
    friendly = ('83.92.168.137',)
    while 1:
        # read syslog with a "tail -f" method
        where = f.tell()
        line = f.readline()
        if not line:
                # My intruder comes every 4 second
            # So every 5 second is enough
            # if intruder is more aggressive
            # set sleep time so it fits
            # check syslog every 5 seconds
            time.sleep(3)
            f.seek(where)
        else:
            # any failed attempt to login
            if ('Invalid' in line or 'Did not receive identification string from' in line)  and 'ffff' in line :
                ix = "".join(line.split(':')[-1:]).strip()
            elif "Too many authentication failures" in line:
                data=line.split("@")[1]
                ix=data.split(")")[0]
            elif "unexpected RCODE (SERVFAIL)" in line:
                data=line.split(":")[-1]
                ix=data.split("#")[0]
            else:
                # nothing to worry about
                continue
            if hostile_ip.has_key(ix):
                continue
            if ix in friendly:
                print "friendly %s" % ix
                continue
            print line
            hostile_ip[ix] = ix

        # add new hostile ip to hosts.deny
        h = open(deny_file,"w")
        h.write(HEADER)
        for i in hostile_ip:
            h.write("ALL:%s\n" % i )
        h.close()
if __name__=="__main__":
    Usage="""
    stop.py -t
    -t   : test 
    """

    file = "/var/log/messages"
    deny_file = "/etc/hosts.deny"

    try:
        options, arguments = getopt.getopt(sys.argv[1:], "t")
    except getopt.GetoptError:
        sys.stderr.write( "Wrong arguments?\n")
        sys.stderr.write(Usage +"\n")
        sys.exit(1)

    for option, argument in options:
        if option == "-t":
            file = "messages"
            deny_file = "hosts.deny"
    stop_sshd_intruders(file=file,deny_file=deny_file)