BlockSSHD is a Perl script based on BruteForceBlocker v1.2.3 that dynamically adds IPTables rules to block SSH brute force attacks.
BlockSSHD checks a log file you specify, for example /var/log/secure on a Red
Hat, for SSH login failure messages. If it detects a failure message it records the source IP address and starts a counter. If messages continue to be detected from the same source IP address the counter is incremented for each message. When the counter reaches a user-specified threshold then the script will add an IPTables rules blocking SSH connections from that source IP address.
A user-specified time-out is also defined to trigger a reset of the counter. If the counter is incremented but has not yet reached the blocking threshold and a new login failure message arrives then BlockSSHD checks the time-out. If the last increment of the counter occurred earlier than the current time minus the time-out period then the counter is reset rather than incremented. The time-out defaults to 600 seconds (10 minutes).
The BlockSSHD script also has some command line options:
*) -d | --daemon | --start - Runs the script as a daemon
*) --stop - Stops the script
*) -h | --help - Prints help text
*) -v | --version - Print the version
Running the BlockSSHD script without any command line options will start it interactively.
You will also find a Red Hat style init script in the init directory.
What's New in This Release:
· Fixed weird ^Ms in files
· Added Anton's WHOIS functino to blocking emails
· If restore block function is off then remove log file to ensure old IPS are not accidently applied
· If restore block function is on then automatically create log file