Remember, you can always find us at http://sshblack.com
The sshblack script is a real-time security tool for secure shell (ssh). It
monitors *nix log files for suspicious activity and reacts appropriately to
aggressive attackers by adding them to a "blacklist" created using various
firewalling tools -- such as iptables -- available in most modern versions of
Unix and Linux. The blacklist is simply a list of source IP addresses that are
prohibited from making ssh connections to the protected host. Once a
predetermined amount of time has passed, the offending IP address is removed
from the blacklist.
It is written in Perl but requires no special modules or libraries.
What defines an "attack" is determined by a variable in the source code. This is usually a character string like "Failed password" or "Illegal user" but can be anything that the administrator deems as an undesirable activity. I have heard from many users who are using it for many things other than ssh, including website monitoring, proxy server watchdog, and generalized network monitoring for prohibited activities (e.g. peer-to-peer filesharing).
See the Notes page for what's new in Version 2.8.1.
Please use the navigation buttons on the left or these:
The Configuration Page for some pointers in setting up key variables
The Notes Section for some comments and rants
Upgrading Notes for some notes on upgrading an existing sshblack installation
The Other Options Section for some discussion on increasing security of SSH organically
The REGEX Section for a 30-second tutorial on setting up the whitelist REGEX
The maintenance section for some tips on using cron, crontab and saving iptables configurations
The Downloads to get the script
The following are already in the tar balls above but they are included here individually for reference.
Older version if you should want it for some reason (like monitoring nginx or apache log files).