Automatically blacklist SSH hackers

Configuring and Customizing sshblack


I have gone to the effort of packaging the script up with a README file and an INSTALL file. Please humor me and read them! The README file also has some release notes so you can make sense of the different versions. I have left some of the older versions up here but Version 2.8.1 is the latest.

Due to popular demand, I have made some scripts that can be used to manually blacklist and un-blacklist an IP address while at the same time modifying the $CACHE file used by sshblack. These are called list and unlist. IMPORTANT: These scripts (and sshblack) use no file locking mechanisms. This means there could be a collision between the utilities and sshblack if they try to access the cache file at the same time. I consider this a relatively remote possibility, but you may want to consider it when using them. If necessary, I will try to add file locking in the next version.

Please note that in versions after 2.5 the complete, actual commands used to block and un-block an attacker are available for configuration at the top of the code along with the other custom parameters. Previously only portions of the command were available in the "user configurable parameters". Now, the actual commands are entered as $ADDRULE and $DELRULE. All the administrator needs to do is substitute the literal 'ipaddress' in place of the actual IP address in the command. The script will replace this string with the actual address of the attacker each time it needs to run the command.
For example, if you were manually going to blacklists the host 192.168.1.123 you would normally enter the following at a command prompt:
        iptables -I BLACKLIST -s 192.168.1.123 -j DROP
So at the top of the sshblack script (in the $ADDRULE definition), this command becomes:
        iptables -I BLACKLIST -s ipaddress -j DROP

Below are some examples of $ADDRULE and $DELRULE for various applications.

	my($ADDRULE) = '/sbin/iptables -I INPUT -s ipaddress -p tcp --dport 22 -j DROP';
	my($DELRULE) = '/sbin/iptables -D INPUT -s ipaddress -p tcp --dport 22 -j DROP'; 
	

	my($ADDRULE) = '/sbin/iptables -I BLACKLIST -s ipaddress -j DROP';
	my($DELRULE) = '/sbin/iptables -D BLACKLIST -s ipaddress -j DROP'; 
	

	my($ADDRULE) = '/sbin/ipchains -I input -p tcp -s ipaddress --destination-port 22 -j DENY';
	my($DELRULE) = '/sbin/ipchains -D input -p tcp -s ipaddress --destination-port 22 -j DENY'; 
	

	## For Redhat/Fedora
	my($ADDRULE) = '/sbin/route add -host ipaddress gw 127.0.0.1';
	my($DELRULE) = '/sbin/route del -host ipaddress gw 127.0.0.1';
	#
	## For Solaris (?? this has not been tested by me!)
	my($ADDRULE) = 'route add ipaddress 127.0.0.1';
	my($DELRULE) = 'route delete ipaddress 127.0.0.1'; 
	

	##  In pf.conf
	block in quick on $ext_if proto tcp from <ssh-block> to $ext_if port ssh
	
	##  In sshblack
	my($ADDRULE) = '/sbin/pfctl -t ssh-block -T add ipaddress';
	my($DELRULE) = '/sbin/pfctl