Create an iptables chain called LOGDROP: iptables -A LOGDROP -j LOG iptables -A LOGDROP -j DROP Here is an example script (Yes - I suck at perl) that will output the iptable commands necessary to add the "bad" ip addresses to your firewall rules on stdout. banips.pl ======================================= #!/usr/bin/perl -w use strict; my $log = "/var/log/httpd/access_log"; my @banned = `/sbin/iptables -L INPUT --numeric | grep LOGDROP`; my @list = `cat $log` or die "Can't cat access_log"; my %ips; system("touch /root/banips.lastrun"); foreach (@banned) { my @fields = split /\s+/; $_ = $fields[3]; } foreach (@list) { if (/\\x90\\x02\\xb1\\x02\\xb1\\x02\\xb1/ || /\\xc9\\xc9\\xc9\\xc9\\xc9/ || /cmd.exe/ || /root.exe/) { my @fields = split /\s+/; $_ = $fields[0]; } else { $_ = "removed"; } } @ips{@list} = {}; delete $ips{"removed"}; @list = sort keys %ips; foreach (@list) { my $ip = $_; my @matches = grep(/$ip/, @banned); if (scalar(@matches)==0) { print "/sbin/iptables -A INPUT -s $ip -j LOGDROP\n"; } } @list=`cat /var/log/auth.log` or die "Can't get auth.log"; my %badlist = (); foreach (@list) { if (/invalid|failed/i) { my ($ip) = /.*ffff:([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}).*/; if (defined $ip) { if (defined $badlist{$ip}) { $badlist{$ip} = $badlist{$ip}+1; } else { $badlist{$ip} = 1; } } } } foreach my $ip (keys %badlist) { my @matches = grep(/$ip/, @banned); if (scalar(@matches)==0) { if ($badlist{$ip}>25) { print "/sbin/iptables -A INPUT -s $ip -j LOGDROP\n"; } } } ==========================================