"SfR Fresh" - the SfR Freeware/Shareware Archive 
"SfR Fresh" - the SfR Freeware/Shareware Archive
Blocksshd is a Perl script based on BruteForceBlocker v1.2.3 that dynamically adds IPTables rules for Linux and pf firewall rules for BSD that block SSH brute force attacks. It can also detect ProFTPd login failures. BlockSSHD checks a log file you specify, for example /var/log/secure on a Red Hat, for SSH login failure messages. If it detects a failure message it records the source IP address and starts a counter. If messages continue to be detected from the same source IP address the counter is incremented for each message. When the counter reaches a user-specified threshold then the script will add a firewall rule blocking SSH connections from that source IP address. A user-specified time-out is also defined to trigger a reset of the counter. If the counter is incremented but has not yet reached the blocking threshold and a new login failure message arrives then BlockSSHD checks the time-out. If the last increment of the counter occurred earlier than the current time minus the time-out period then the counter is reset rather than incremented. The time-out defaults to 600 seconds (10 minutes).
The BlockSSHD script can also unblock IP address after a period. This is enabled in the blocksshd.conf configuration file using the unblock option and with the period set using the unblock_timeout option.
The BlockSSHD script can also log the IP addresses blocked to a file and re-apply these blocked IP addresses when the script is re-started. This allows you to restore previously blocked IP addresses after a restart or when your firewall rules are flushed. If you have the unblock function and the re-block function enabled then when the IP address is unblocked it will also be removed from the log file.
BlockSSHD requires the following CPAN modules:
*) Sys::Syslog - often comes with Perl and may already be installed;
*) Sys::Hostname - often comes with Perl and may already be installed;
*) File::Tail;
*) Net::DNS;
*) Proc::Daemon;
*) Proc::PID::File;
*) Getopt::Long;
Please install them prior to running BlockSSHD.
Stop BlockSSHD
*) os - Specify the operating system BlockSSHd will run under. Use linux for Linux and bsd for BSD
*) pid_file - Location of the BlockSSHd PID file
*) send_email - Enable the sending of email notifications
*) email - Email address to send email notifications to
*) chain - Name of the iptables chain to hold the rules
*) logfile - Log file to monitor for SSH login failure messages
*) logcheck - Interval to check log file in seconds
*) max_attempts - Maximum number of failures before blocking IP
*) timeout - Time without activity after which IP counts are reset in seconds
*) unblock - Enable unblocking functionality
*) unblock_timeout - Period in seconds since blocking that an IP address is unblocked
*) restore_blocked - Unable this option to log IP addresses and then re-block them when BlockSSHd is restarted
*) log_ips - Location of the blocked IP address log file
*) mail - Location of the mail binary used to send emails
*) email_whois_lookup - Enable WHOIS lookup of the blocked IP address to be included in blocking notification
*) whois - Location of the whois binary
*) sed - Location of the sed binary
*) iptables - Location of the iptables binary
*) pfctl - Location of the pfctl binary
*) whitelist - A list of IP addresses that you never want blocked