# Copyright (C) 2005 Nigel Horne <n...@despammed.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# For a copy of the licence for this software, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
# sshmonitor 0.3
# Deny persistent attempts at cracking a site with ssh
# 13/5/05: Catch entries such as Failed password for root from
#
# Install in /usr/local/sbin/sshmonitor and start thus (in /etc/rc.local):
# /usr/local/sbin/sshmonitor >> /var/log/secure 2>&1 &
# though it would be better to use syslog
use strict;
use IO::Handle;
use NetAddr::IP;
my $log = '/var/log/secure'; # Redhat/Fedora
my $deny = '/etc/hosts.deny';
my $checktime = 5; # How often to check $log
my $localnet = new NetAddr::IP("192.168.1.0/24");
my $triggerlevel = 5; # Grace login failures that we allow
open(LOG, "$log") or die "tail $log: $!\n";
my %blacklist = ();
for(;;) {
my $ip;
my $anynew = 0;
LINE: while(<LOG>) {
if((/: Invalid user .+ from (.+)\n/) ||
(/: Failed password for .+ from (.+?)\s.+\n/)) {
next LINE if($1 =~ /^127.0.0./);
my $me = new NetAddr::IP($1);
next LINE if($me->within($localnet));
$ip = $1;
open(DENY, "<$deny") or die "$deny: $!\n";
foreach(<DENY>) {
if(/$ip/) {
close DENY;
delete $blacklist{$ip};
next LINE;
}
}
close(DENY);
$anynew = 1;
$blacklist{$ip}++;
}
}
if($anynew) {
my $count;
open(DENY, ">>$deny") or die "$deny: $!\n";
while(($ip, $count) = each(%blacklist)) {
if($count >= $triggerlevel) {
print DENY "sshd: $ip\n";
print "Added $ip (" . $count . " attempts)\n";
delete $blacklist{$ip};
}
}
close(DENY);
}
sleep $checktime;
LOG->clearerr();
}
<snip>
Hi Nigel,
I'm replying to your post as a test in response to your post in
force9.service.customer-feedback
--
Regards,
| Dave Tomlinson Broadband Solutions For
| Technical Support for Home & Business
| PlusNet plc @ http://www.plus.net
+ ----- My Referrals - It pays to recommend PlusNet -----