Ssh IP blocker

From Logicalwebhost-Wiki

doo-dad that checks for dictionary attacks on ssh and blocks the IP. Look for it here: http://cpan.perl.org/scripts/Networking/index.html or the exact script is here it's called sshwatch-0.01.pl , I have it at this link in it's current form.

There's also a thing that ties in with iptables to watch for >5 ssh attempts from the same IP and then blacklists that IP it's ssh_iptables

here's something you can cut/paste straight to iptables http://www.debian-administration.org/articles/187

this is pretty good reading too: http://forums.gentoo.org/viewtopic-t-557557-highlight-iptables.html some dude wrote a python thingie there too.

Big Gentoo list of various attempts: http://blinkeye.ch/mediawiki/index.php/SSH_Blocking

You can find out how many failed attempts (basically hack attempts mostly) on your boxen by running:

 grep "Failed" /var/log/auth.log | sed "s/.*for\( invalid user\)*\(.*\)\(from.*\)/\2/" | sort | uniq -c | less
 grep "Failed" /var/log/auth.log.0 | sed "s/.*for\( invalid user\)*\(.*\)\(from.*\)/\2/" | sort | uniq -c | less

this will search the last 2 log files, at least that's where the ssh log is on Debian/Ubuntu, on Fedora it's /var/log/secure, you might have to change the path in that last command.

this will just tell you how many you had total:

  grep "Failed" /var/log/auth.log | sed "s/.*for\( invalid user\)*\(.*\)\(from.*\)/\2/" | sort | uniq -c | wc -l

I added the following rules to one of my boxen

 /sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
 --set
 /sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
 --update --seconds 60 --hitcount 4 -j DROP

that's from here: http://www.debian-administration.org/articles/187 I'm going to watch it and see what happens if you want to remove your Iptables rules, do this:

 /sbin/iptables -F
 /sbin/iptables -X

looks like this one might work pretty good too, it's called fail2ban: http://www.fail2ban.org/wiki/index.php/Main_Page