ssh_blocker for OpenBSD and Packet Filter (Ruby edition)
Juan J. Martinez <jjm*at*usebox*dot*net>

http://www.usebox.net/jjm/ssh_blocker/
http://blackshell.usebox.net/pub/shell/

*ABOUT*

This is a simple Ruby script to dynamically filter people trying to
log in a ssh account using common usernames/passwords.

The main idea is based in a script with the same functionality coded in
Python by Francisco de Borja Lopez Rio (Wu) - http://www.e-shell.org/

There's an implementation of the same thing in shell scripting in the
same site you got that script.

You can convert ssh_blocker.sh logs to ssh_blocker.rb log format with 
following code:

awk '$7 != "" { print "X:", $7, "added to blocked list" }' < ssh_blocker.log

*USAGE*

By default the script uses sshscan table and scans /var/log/authlog.
You can change this with --table pf_table and --authlog authlog_path switches.

Using defaults, add a table in your /etc/pf.conf:

table <sshscan> persist

and block the IPs on this table:

block in log quick on $OUT_IF proto tcp from <sshscan> to any port 22

Once your pf is setup you can copy ssh_blocker.rb to your /root/bin 
directory and chown root:wheel and chmod 500 it. Then add a cron job in
root crontab to execute the script on time basis:

0 */5 * * * /root/bin/ssh_blocker.rb >> /var/log/ssh_blocker.log 

*TIPS*

In order to make the script more effective, use the sshd_config directive
"AllowUsers" to make valid users not allowed to login (such as root)
appear as "Failed password for illegal user" (due AllowUsers). Just
add to AllowUsers the allowed users :) and the rest will become
illegal users.

You can get IPs from ssh_blocker's own logs instead of authlog logs
using --logpath log_path switch (after a reboot the pf table will be empty
and may be you rotate your authlog logs, in this way you can restore
blocked IPs easily running ssh_blocker manually against its own log).

*WHITE LISTS*

By default 127.0.0.1 never will be added to the blocked list. You can
change the IPs in this "white list" with -w comma_separated_IP_list.

eg. ssh_blocker.rb -w 192.168.0.1,10.1.1.3

In that example the IPs 192.168.0.1 and 10.1.1.3 never will be blocked.

* LICENSE *

This script is Free Software, check the source for further details.

* EOF *