Re: shutting out dictionary attacks on ssh passwords

[Herb Peyerl <hpeyerl%beer.org@localhost>]

On Mon, Jun 27, 2011 at 01:38:49PM -0700, Erik E. Fair wrote:
> For those of us with public IP addresses, what is the most popular
> and effective way to shut out the various door-knob turners who
> keep trying account/password combinations again ssh and other such
> services?
> 
> I'm tired of spew on the consoles and log entries ... and I'd prefer
> to shut the door-knob turners out than silence the screaming daemons.

I have something that I think I got from Luke that he got from Christoph 
Badura, I think?  I don't really know the origin of it.


It's a perl script that camps out on auth.info:

auth.info                                               |exec 
/usr/local/sbin/ban-ssh-bf -


and parses the sshd failed login attempts.  After a few attempts, it adds the 
hosts' IP to ipfilter's group 22 and logs the banning:

1308706374 211.144.118.60 no identification
1308748742 184.0.209.250 illegal user jbeer
1308753376 24.143.26.76 illegal user jbeer
1308764694 189.109.125.110 failed password for root
1308853847 66.7.155.34 illegal user jbeer
1308916828 220.165.5.7 no identification
1308918105 66.228.37.45 failed password for root
1308949414 98.216.54.244 illegal user jbeer
1308969136 117.120.24.4 no identification
1309033552 61.142.80.59 no identification
1309034245 88.174.84.173 no identification
1309045681 119.161.145.206 no identification
1309049921 123.30.128.15 no identification
1309050716 12.157.117.67 illegal user jbeer
1309051370 216.218.212.69 failed password for root
1309064855 61.130.156.146 failed password for root
1309114909 202.164.212.32 failed password for root
1309121587 219.154.45.50 failed password for root
1309151582 110.74.197.251 illegal user jbeer

I can send you what I have if you like but maybe christoph has a newer 
version... I think mine is from 2007 sometime.