This how-to describes a way to block numerous invalid login attempts from offending ip addresses, specifically SSH.
First create the following script and name it sshblock: [download sshblock]
#!/bin/ksh
#
#
#
NUM_TRIES=3
SSH_INVALID_USERS=`grep ‘Invalid user’ /var/log/authlog | awk ‘{ print $10 }’ | sort -u`
for iu in $SSH_INVALID_USERS; do
num=`grep $iu /var/log/authlog | wc -l`
if [ $num -gt $NUM_TRIES ]; then
echo “$iu” >> /var/tmp/invalid_users.list
fi
done
cat /var/tmp/invalid_users.list | sort -u > /var/tmp/invalid_users.list
SSH_FAILED_PASSWORD=`grep ‘Failed password for’ /var/log/authlog | grep -v ‘invalid user’ | awk ‘{ print $11 }’ | sort -u`
for fp in $SSH_FAILED_PASSWORD; do
num=`grep $fp /var/log/authlog | wc -l`
if [ $num -gt $NUM_TRIES ]; then
echo “$fp” >> /var/tmp/failed_passwords.list
fi
done
cat /var/tmp/failed_passwords.list | sort -u > /var/tmp/failed_passwords.list
cat /var/tmp/invalid_users.list /var/tmp/failed_passwords.list | sort -u > /var/tmp/blockers.list
pfctl -t kiddies -vTadd -f /var/tmp/blockers.list
Place this script in /usr/sbin and add the executable permission to it:
# mv sshblock /usr/sbin
# chmod +x sshblock
Add the following to /etc/pf.conf (be sure your external interface is set properly):
ext_if=”vr0”
table <kiddies> persist
block in on $ext_if from <kiddies>
To keep the script running add the following to cron to have the script update the offending IP’s every 5 minutes:
# crontab -e
*/5 * * * * /usr/sbin/sshblock