[TriLUG] Re: Host Blocking
Lance A. Brown
lance at bearcircle.net
Wed Jan 5 22:34:31 EST 2005
Here is a hack a friend of mine came up with:
A swatch.rc file:
perlcode my $ssh_regex = 'Failed password for root from ([0-9\.]+).*ssh';
watchfor /$ssh_regex/
exec /sbin/ipfw add 5 deny ip from $1 to any
mail YourAddress at domain.com,subject=Illegal_ssh_attempt
You can run swatch on your messages log and have systems that try to ssh
into root on your system blocked via ipchains/iptables/ipfw. Adapt for
you specific needs.
--[Lance]
--
Carolina Spirit Quest http://www.carolinaspiritquest.org/
Celebrate The Circle http://www.celebratethecircle.org/
My LiveJournal http://www.livejournal.com/users/labrown/
GPG Fingerprint: 409B A409 A38D 92BF 15D9 6EEE 9A82 F2AC 69AC 07B9
More information about the TriLUG
mailing list