Inhaltsverzeichnis
1.0 hosts.allow
reiner@debian:˜$ cat /etc/hosts.allow
sendmail: all
sshd: ALL: aclexec /usr/local/sbin/sshfilter.sh %a
1.1 hosts.deny
reiner@debian:˜$ cat /etc/hosts.deny
sshd: ALL
1.2 sshfilter.sh Script
reiner@debian:˜$ cat /usr/local/sbin/sshfilter.sh
#!/bin/bash
# UPPERCASE space-separated country codes to ACCEPT
#ALLOW_COUNTRIES="DE DK CH"
ALLOW_COUNTRIES="DE AT CH"
if [ $# -ne 1 ]; then
echo "Usage: $(basename $0) " 1>&2
exit 0
fi
COUNTRY=$(/usr/bin/geoiplookup $1 | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1)
[[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]] && RESPONSE="ALLOW" || RESPONSE="DENY"
logger "TCPWRAPPER $RESPONSE sshd connection from $1 ($COUNTRY)"
echo "$(date +'%x %X') $RESPONSE sshd connection from $1 ($COUNTRY)" | tee -a /var/log/ssh-restiction.log
[ $RESPONSE = "ALLOW" ] && exit 0 || exit 1
reiner@debian:˜$ /usr/local/sbin/sshfilter.sh 1.1.1.1
05.06.2023 21:43:08 DENY sshd connection from 1.1.1.1 (AU)
1.3 free GeoLite Tool
reiner@debian:˜$ wget https://github.com/axllent/goiplookup