#!/bin/bash

# In this function you can block the hostile ip 
blocca () {
	echo ${quantita} \>= ${limite} ${tcpaddres} ${data} >> /var/log/syncheck.log

# This is a sample firewall block ip command
#	ipfilter bla bla bla ${tcpaddres}

}

# This is for locale, if you want you can comment them
export LANG=it_IT
export LC_ALL=it_IT
export LC_COLLATE=it.UTF-8
export LC_CTYPE=it.UTF-8
export LC_MESSAGES=it.UTF-8
export LC_NUMERIC=it.UTF-8

# Max numbers of SYN_RCVD for ip adrress, change it for your need 
limite=20

temp=x
stampa=false
data=$( date )

for tcpaddres in $( /usr/bin/netstat -an -f inet | /usr/bin/grep SYN_RCVD | /usr/bin/awk '{print $2}' | /usr/bin/sed s/.[0-9]*$// | /usr/bin/sort)
do
	if [ ${tcpaddres} = ${temp} ]
	then
		quantita=$( /usr/bin/expr ${quantita} + 1 )
	else
		if [ ${temp} != "x" ]
		then
			if [ ${stampa} = "true" ]
			then
				blocca
			fi
		fi
	quantita=1
	stampa=false
	fi
	if [ ${quantita} -eq ${limite} ]
	then
		stampa=true
	fi
	temp=${tcpaddres}
done

if [ ${stampa} = "true" ]
then
	blocca
fi

# Copyright Alberto Panu 2007 www.panu.it
# Distribuito sotto licenza GPL http://www.gnu.org/licenses/gpl-3.0.txt