ssh_blocker for OpenBSD and Packet Filter Juan J. Martinez http://www.usebox.net/jjm/ssh_blocker/ http://blackshell.usebox.net/pub/shell/ *ABOUT* This is a simple shell script to dynamically filter people trying to log in a ssh account using common usernames/passwords. The main idea is based in a script with the same functionality coded in Python by Francisco de Borja Lopez Rio (Wu) - http://www.e-shell.org/ *USAGE* By default the script uses sshscan table and scans /var/log/authlog. You can change this with -t pf_table and -a authlog_path switches. Using defaults, add a table in your /etc/pf.conf: table persist and block the IPs on this table: block in log quick on $OUT_IF proto tcp from to any port 22 Once your pf is setup you can copy ssh_blocker.sh to your /root/bin directory and chown root:wheel and chmod 500 it. Then add a cron job in root crontab to execute the script on time basis: 0 */5 * * * /root/bin/ssh_blocker.sh >> /var/log/ssh_blocker.log *TIPS* In order to make the script more effective, use the sshd_config directive "AllowUsers" to make valid users not allowed to login (such as root) appear as "Failed password for illegal user" (due AllowUsers). Just add to AllowUsers the allowed users :) and the rest will become illegal users. You can get IPs from ssh_blocker's own logs instead of authlog logs using -l log_path switch (after a reboot the pf table will be empty and may be you rotate your authlog logs, in this way you can restore blocked IPs easily running ssh_blocker manually against its own log). *WHITE LISTS* By default 127.0.0.1 never will be added to the blocked list. You can add more IPs to this "white list" with -w IP_for_white_list. eg. ssh_blocker.sh -w 192.168.0.1 -w 10.1.1.3 In that example the IPs 192.168.0.1 and 10.1.1.3 never will be blocked. * LICENSE * This script is Free Software, check the source for further details. * EOF *