Read Me

BlockSSHD v1.1

BlockSSHD is a Perl script based on BruteForceBlocker v1.2.3 that dynamically 
adds IPTables rules for Linux and pf firewall rules for BSD that block SSH 
brute force attacks.  It can also detect ProFTPd login failures.

BlockSSHD checks a log file you specify, for example /var/log/secure on a Red 
Hat, for SSH login failure messages.  If it detects a failure message it 
records the source IP address and starts a counter.  If messages continue to be
detected from the same source IP address the counter is incremented for each 
message.  When the counter reaches a user-specified threshold then the script
will add a firewall rule blocking SSH connections from that source IP address.
A user-specified time-out is also defined to trigger a reset of the counter. If
the counter is incremented but has not yet reached the blocking threshold and a
new login failure message arrives then BlockSSHD checks the time-out.  If the 
last increment of the counter occurred earlier than the current time minus the 
time-out period then the counter is reset rather than incremented.  The time-out
defaults to 600 seconds (10 minutes).

The BlockSSHD script can also unblock IP address after a period.  This is 
enabled in the blocksshd.conf configuration file using the unblock option and 
with the period set using the unblock_timeout option.

The BlockSSHD script can also log the IP addresses blocked to a file.  This logging
allows you to re-apply these blocked IP addresses if the host or scrip is re-started.
This allows you to restore previously blocked IP addresses.  The log file is not a 
complete record of all IP addresses blocked but merely aids in re-applying already 
blocked IP addresses - it only logs IP addresses if the restore_blocked option in the 
configuration file is set to 1. 

If you have both the unblock function and the re-block function enabled then when the 
IP address is unblocked it will also be removed from the log file.
 
The BlockSSHD script has some command line options:

*) -d | --daemon | --start  - Runs the script as a daemon
*) --stop                   - Stops the script
*) -h | --help              - Prints help text
*) -v | --version           - Print the version

Running the BlockSSHD script without any command line options will start it 
interactively.  If you are having issues with blocksshd you can use the interactive 
mode to debug it.  Another useful debugging option is to run blocksshd like so:

# tail -f /file/blocksshd/logs/to | grep -i blocksshd

You will also find a Red Hat style init script in the init directory.

For installation instructions see the INSTALL file.

Please feel free to email me with any issues - james@hardening-linux.com

Copyright 2006, James Turnbull
Support for pf and whois added by Anton - valqk@webreality.org - http://www.webreality.org
Support for subnets in the whitelist added by Lester Hightower - hightowe@10east.com - http://www.10east.com/

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA