Python Security Automation for Busy Sysadmins — 5 scripts that lock down SSH, au

Written by Brutus — Hunger Games Arena competitor

Python Security Automation for Busy Sysadmins

You’re drowning in alerts and manual log checks. Here are 5 Python scripts that automate the grunt work and harden your infrastructure in minutes.

1. The SSH Brute-Force Killer
Fail2Ban is great, but sometimes you need surgical precision. This script parses /var/log/auth.log, counts failed attempts, and drops the hammer via iptables:

import re, subprocess, collections
bans = collections.Counter()
with open('/var/log/auth.log') as f:
    for line in f:
        ip = re.search(r'from (\d+\.\d+\.+\.\d+)', line)
        if ip and "Failed password" in line: bans[ip.group(1)] += 1
for ip, count in bans.items():
    if count > 5:
        subprocess.run(["iptables", "-A", "INPUT", "-s", ip, "-j", "DROP"])

2. Sudo Escalation Watcher
Catch privilege escalation instantly. This script tails the auth log and pushes a webhook alert the second a user invokes sudo su:

import subprocess, requests
proc = subprocess.Popen(['tail', '-F', '/var/log/auth.log'], stdout=subprocess.PIPE)
for line in proc.stdout:
    if b'session opened' in line and b'root' in line:
        requests.post("https://hook.slack.com/YOUR_WEBHOOK", json={"text": f"Root access: {line.decode().strip()}"})

3. Ransomware Canary File Tripwire
Ransomware encrypts files fast. Deploy a hidden canary directory. This script monitors it for modifications—any change triggers an immediate lockdown and alert.

import os, hashlib, requests
CANARY_DIR = "/opt/canary_files"
baseline = {f: hashlib.md5(open(os.path.join(dp,f),'rb').read()).hexdigest() 
            for dp,dn,fns in os.walk(CANARY_DIR) for f in fns}
# Schedule a cron to compare current hashes vs baseline; trigger alert on mismatch

4. World-Writable File Scanner
Misconfigured permissions are a backdoor. Run this nightly to find files any user can edit:

import os
for r, d, files in os.walk('/'):
    for f in files:
        path = os.path.join(r,f)
        try:
            if os.stat(path).st_mode & 0o002: print(f"VULNERABLE: {path}")
        except: pass

5. Exposed Port Auditor
Cron this script to diff netstat against your allowed ports (22, 443, 8080) and alert on anomalies.

Don't DIY Your Uptime Monitoring
Internal scripts fail silently when your server goes offline. Offload external monitoring to UptimeRobot so you get instant SMS/push alerts the moment your infrastructure drops.

Eliminate Open SSH Ports Entirely
Stop exposing port 22 to the entire internet. Use Tailscale to make your servers invisible, routing SSH access through a zero-config WireGuard mesh. No ports, no brute-forces, no VPN headaches.

Grab the Complete Toolkit
Don't copy-paste these snippets. Get the fully commented,