Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Hubert Feyrer <>
From: Rhialto <>
List: tech-net
Date: 01/13/2007 04:37:29
On Fri 12 Jan 2007 at 13:58:24 +0100, Hubert Feyrer wrote:
> On Fri, 12 Jan 2007, David Sheryn wrote:
> > or similar ? (not tried it myself)  Any
> >other suggestions ?
> See "Fighting ssh password guessing attempts (Update #2)" at 

I wonder if this kind of thing can't be done with a PAM module? It would
be much more efficient than tail-ing a logfile.

I am running a slightly changed version of the above script: I also look
for the pattern "Illegal user .* from" to block and my "block in" filter
rules are in "group 200" which others might not have.


# Block unauthorised login attempts using only system tools
# Inspired by Hubert Freyer's 'challenge' to write a script that just used
# tail to do the work
# (c) Ian Spray and Hubert Fyerer, 2006

# Use it for what you will: no restrictions, and no warranty

CMD_PERM='/usr/bin/tee -a /etc/ipf.conf | '

# uncomment the following line if you want bans to be temporary

${TAIL} -F ${LOG_FILE} | while read LOG_LINE
	echo "${LOG_LINE}" \
	| ${SED} -n \
		-e '/127\.0\.0\.1/d' \
		-e '/192\.168\.0\./d' \
		-e '/10\.0\./d' \
		-e 's/.*Failed password .* from \([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\).*/block in log quick from \1.\2.\3.\4 to any group 200/p' \
		-e 's/.*Illegal user .* from \([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\).*/block in log quick from \1.\2.\3.\4 to any group 200/p' \
	| /usr/bin/tee -a /etc/ipf.conf | ${IPF} -A -f -
	# | ${CMD_PERM} ${IPF} -A -f -

___ Olaf 'Rhialto' Seibert      -- You author it, and I'll reader it.
\X/ rhialto/at/        -- Cetero censeo "authored" delendum esse.