KViSR
13-01-2010, 11:28
SSHBlack
http://www.pettingers.org/code/sshblack.html
The sshblack script is a real-time security tool for secure shell (ssh). It monitors *nix log files for suspicious activity and reacts appropriately to aggressive attackers by adding them to a "blacklist" created using various firewalling tools -- such as iptables -- available in most modern versions of Unix and Linux. The blacklist is simply a list of source IP addresses that are prohibited from making ssh connections to the protected host. Once a predetermined amount of time has passed, the offending IP address is removed from the blacklist.
It is written in Perl but requires no special modules or libraries.
What defines an "attack" is determined by a variable in the source code. This is usually a character string like "Failed password" or "Illegal user" but can be anything that the administrator deems as an undesirable activity. I have heard from many users who are using it for many things other than ssh, including website monitoring, proxy server watchdog, and generalized network monitoring for prohibited activities (e.g. peer-to-peer filesharing).