PRE-REQUISITES BlockSSHD requires the following CPAN modules: *) Sys::Syslog - often comes with Perl and may already be installed; *) Sys::Hostname - often comes with Perl and may already be installed; *) File::Tail; *) Tie::File; *) Net::DNS; *) Net::Subnets; *) Getopt::Long; Please install them prior to running BlockSSHD. INSTALLATION 1) BlockSSHD can work with iptables on Linux or pf on BSD. Depending on which you use you will need to add a new chain and/or rule to your iptables or pf firewall that directs incoming SSH connections to be blocked. 1.1) iptables For iptables firewalls you can create a new chain like so: $ iptables -N Where is the same of the iptables chain specified in the configuration file. Then you can create the re-direction rule like so: $ iptables -I INPUT -p tcp -m tcp --dport 22 -j If you wish to block FTP logins using ProFTPd then you can add port 21 to the above rule or add an additional rule. This rule selects all incoming SSH connections on port 22 and redirects them to . Your blocking rules will be placed in that chain and if the source IP address of an incoming connection matches a blocking rule in then the connection will be dropped. The rule will need to be placed above any other incoming SSH rules to ensure all incoming SSH connections are jumped to the blocking chain. If you use a distribution like Red Hat and Mandrake that has automated/GUI tools to contruct your iptables rule base you will need to add this rule using this mechanism. In both example iptables commands replace with the name of the BlockSSHD chain. The name of this chain also needs to be defined in the blocksshd.conf configuration file. BlockSSHD also checks the presence of this chain each time it is started and will re-create it if it has been deleted. All blocking rules in the chain will also be flushed each time BlockSSHD is started. 1.2) pf For the pf firewall you will need to add a rule to block IP addresses listed in the target chain like so: block in on $ext_if proto tcp from to me port { 21,22 } The above rule blocks brute force login attacks on both port 21 and 22 and can prevent brute force attacks using both SSH and ProFTPd. 2) Install the configuration file into the /etc directory and the script to /usr/sbin (or similar directories in your environment - however you will need to adjust the script to reflect the new locations of these files) This installation can be done using the following command: # make install To install a Red Hat-style init script into /etc/rc.d/init.d use: # make init 3) Adjust the configuration file to suit your environment (see the CONFIGURATION section). 4) BlockSSHD also logs to syslog. It uses a program name of blocksshd and a facility of auth. You can use this combination to direct the syslog messages from BlockSSHD to a specific file or location. 5) You're done. CONFIGURATION All configuration is held in an external file, blocksshd.conf, this file is usually located in the /etc/ directory but this can be overridden in the script. There are a number of configuration directives located in this file and these are listed below. *) os - Specify the operating system BlockSSHd will run under. Use linux for Linux and bsd for BSD *) pid_file - Location of the BlockSSHd PID file *) send_email - Enable the sending of email notifications *) email - Email address to send email notifications to *) chain - Name of the iptables table to hold the rules *) logfile - Log file to monitor for SSH login failure messages *) logcheck - Interval to check log file in seconds *) max_attempts - Maximum number of failures before blocking IP *) timeout - Time without activity after which IP counts are reset in seconds *) unblock - Enable unblocking functionality *) unblock_timeout - Period in seconds since blocking that an IP address is unblocked *) restore_blocked - Unable this option to log IP addresses and then re-block them when BlockSSHd is restarted *) log_ips - Location of the blocked IP address log file *) mail - Location of the mail binary used to send emails *) email_whois_lookup - Enable WHOIS lookup of the blocked IP address to be included in blocking notification *) whois - Location of the whois binary *) sed - Location of the sed binary *) iptables - Location of the iptables binary *) pfctl - Location of the pfctl binary *) whitelist - A list of IP addresses that you never want blocked