misc-scripts/ban-ssh-morons
2012-07-28 17:16:55 +02:00
..
ban-ssh-morons.initd SSH bruteforce bots blacklisting script 2012-07-28 17:16:55 +02:00
ban-ssh-morons.pl SSH bruteforce bots blacklisting script 2012-07-28 17:16:55 +02:00
README SSH bruteforce bots blacklisting script 2012-07-28 17:16:55 +02:00

Ban SSH bruteforce bots
========================

This script maintains a blacklist based on repeated SSH log-in failures. I wrote
this after getting 800MB of authentication failure logs in one day on a home DSL
so the measures it takes are somewhat extreme.

The script normally runs in the background, reading /var/log/auth.log every
minute. When it detects 5 failed attempts from the same source, it will add an
iptables rule dropping all packets from that address. All addresses are also
added to a file and the iptables blacklist restored when it runs.

It is also possible to run the script with a specific input file. In this case
it will not fork to the background; it will load the file, find offending
entries, blacklist them, and exit. This allows the script to be "seeded" using
old logs.


Notes:
 1/ Blacklist entries are *never* removed automatically.
 2/ Updating the iptables blacklist is not efficient.
 3/ If you want to customise the paths and various parameters, you need to
	modify the script ("our $WHATEVER" variables).
 4/ ban-ssh-morons.initd is an init script for Debian Squeeze.