The sshblack script is a real-time security tool for secure shell (ssh). It monitors *nix log files for suspicious activity and reacts appropriately to aggressive attackers by adding them to a "blacklist" created using various firewalling tools -- such as iptables -- available in most modern versions of Unix and Linux. The blacklist is simply a list of source IP addresses that are prohibited from making ssh connections to the protected host. Once a predetermined amount of time has passed, the offending IP address is removed from the blacklist.
What defines an "attack" is determined by a variable in the source code. This is usually a character string like "Failed password" or "Illegal user" but can be anything that the administrator deems as an undesirable activity.
- Command-line Firewalling. Ideally this should be iptables. However, for those of you with older kernels, you can easily modify it to work with ipchains or even route.
- Existing chain in iptables for the blacklist (if you choose to use iptables). This is currently configured as BLACKLIST but you can name it whatever you want. You are welcome to configure the script to add blocks to the default INPUT chain in which case you will not need a custom chain. Also make sure you actually run packets through the chain in your firewall config or it won't do much good!
- Root (superuser) access. Required for the iptables calls and access to the logs.
- [Daemon version only] Perl Module Proc::Daemon which is available from CPAN.
Presented below are packages in source and binary form.
Included are some utility scripts in the because people were asking about them.
- list -- manually adds an IP address to the blacklist and modifies the $CACHE file accordingly
- unlist -- manually remove an IP address from the blacklist and the $CACHE file
- bl -- a manual blacklisting tool (one liner that modifies the iptables configuration only)
- unbl -- a manual UNblacklisting tool (one liner that modifies the iptables configuration only)
- iptables-setup -- a few shell commands to set up the iptables chains if you don't want to do it manually.