===================== # S S H B L O C K # ===================== UPDATED 2006-11-11 ------------------ Version 2 of SSH Block has been released! SSH Block version two, simply called sshblock2, is a total re-write of the code with many improvments! Please check it out, it's in the sshblock2 directory! ------------------------------------------------------------------------------- Info below if for the old version 1 and 0.X Fixed the problem with Invalid vs. Illegal user. The script should now run out of the box on most Linux systems, the TCP wrapper version should also run on most *NIX systems sush as *BSD. So, there is no more need to modify the script to match your systems Invalid vs. Illegal user in /var/log/messages vs. /var/log/secure. History: SSH Block is a small shell script I wrote to block the IP's of ssh probing hosts. It all began when I got my ADSL line from my ISP and noticed how my log files kept growing with Invalid user login attepmt. How it works: It's a rather simple script, it greps for the "Invalid user" line from /var/log/messages and then some formating is done with sed and awk, and finaly it is put into an iptables command (or host.deny and hosts.allow if you use the TCP Wrapper version.) NOTE: The "orignal" version uses iptables. The TCP Wrapper version should work on general *nix and not just Linux (A FreeBSD port is now availible in the freebsd directory. There is also a Solaris port and a Mac OS X port avalible now, in their respective directories. The versions 0.xx uses IPTABLES and tcp_1.x uses TCP Wrapper. NOTE: FreeBSD, Solaris and Mac OX X port uses the TCP Wrapper. Known issues: UPDATED 2005-04-18: You no longer need to modift the script for "Invalid user" vs. "Illegal user" and /var/log/messages and /var/log/secure. The script now looks for both "Invalid user" in /var/log/messages and "Illegal" user in /var/log/secure. As from version 0.23 and TCP_1.1 this fix is applied. OLD ISSUE My Linux systems is Slackware Linux therefor I wrote the script to look for "Invalid user" in /var/log/messages. If you use for example a RedHat based distro you have to change this to "Illegal user" and /var/log/secure. Maybe in the future I'll add a function to search for both "Invalid" and "Illegal" in /var/log/messages and /var/log/secure. Hope you find my SSH Block script useful! Any suggestions or improvment are welcome! //Jack-Benny jake@cyberinfo.se