What's sshdautoban?
Sshautoban is a perl script intended to ban users - in real time - that are trying to bruteforce your ssh service.
How?
The script is listening on a local port socket to receive your syslog-ng filtered event.
It will get the error lines as soon as they're logged by the daemon and will ban the ip address if it matches rules that you have defined.
You can set number of invalid attempts, min and max seconds they occur, error string to match and ban type.
Ban types supported are:
- hosts
- iptables
On what system does it run?
It has been successfully tested on Linux and Solaris. The only dependencies is Perl and having Syslog-ng.
Is that hungry?
The script running 24/7 banning 10ips per day takes roughly 5MB of ram.
What's planned for the future?
The script will be improved to support more software firewalls - eg: ipf - and being compatible with more *nix flavors.
It'll also be possible in the future to make it ban different types of services - HTTP, FTP and such...
Check out documentation for complete informations.
