Subject: Autoblocking sites after ssh probes
To: None <current-users@NetBSD.org>
From: Martin Husemann <martin@duskware.de>
List: current-users
Date: 01/27/2005 23:29:42
I guess this is completely off-topic, but anyway: for unrelated reasons
I am running a diagnostic/debug kernel on my router right now. So I noticed
this messages on the console:

trapdebug: emul netbsd UNIPL syscall 210:unknown syscall
trapdebug: emul netbsd UNIPL syscall 210:unknown syscall

(tons of them)

IIRC this is sshd doing some AFS syscall. So I checked what's going on and saw
the typical ssh login probes in /var/log/authlog:

Jan 27 23:06:40 setting-sun sshd[10795]: Illegal user lbenson from 219.117.250.205
Jan 27 23:06:44 setting-sun sshd[11053]: Illegal user jlawrence from 219.117.250.205
Jan 27 23:06:47 setting-sun sshd[8759]: Illegal user rnelson from 219.117.250.205
Jan 27 23:06:51 setting-sun sshd[10297]: Illegal user mankney from 219.117.250.205

This is no problem itself, of course my sshd is configured to not allow login
authentication. But the spewing of messages on the console was ... somehow
disturbing so I just added an ipf rule

  block in quick on pppoe0 from 219.117.250.205

Checking older logs from the last two days I found similar things from 5
different IPs. Most (all?) of them seem to be dynamic IPs, so blocking those
permantly does not make much sense.

Now, here is the question: does anyone know of a tool to automagically recognize
this sequence of logs that temporarily adds the coresponding block rules to 
ipf and expires them after, say, 24 hours?

Is there anything wrong from a security point of view with this aproach?
It's not a protection in itself, and it's just one common attack (out of 
hundreds, I guess). But maybe as an additional obstacle?

Martin