Det finnes en norsk versjon.
Sorry, my project with log surveillance in CL is shelved atm., install fail2ban and be done with it
:-/
The ip numbers below are blacklisted here. Any connect attempt from those ip numbers will be blocked at my firewall. Currently this script is only blocking hosts that attempt dictionary attacks against my ssh server. Other facilities are used to block ip-addresses in the dshield block-list, and some others. Depending on what is going around at the moment I might add other triggers for blocking. The actual blocking is done by a lisp process that gets sshd's log entries about failed logins piped into it continuously through a fifo. See mkfifo(1) and syslog(8) or syslog-ng(8), check the auth facility. The lisp process keeps count and runs an iptables command when it has seen enough hits of a dubious sort. After blocking I keep track of later occurrences of the same ip in my firewall logs, recording proto/port and last seen time. The report below is generated by the same lisp process at the time the request is served to you.
Update: Since upgrading my server, the firewall log format changed, and I did a small refactoring. At the same time I decided to mark those knockers that look like scouts, i.e. Fore-runners just checking if port 22 is open.
I am also noting invalid usernames. Could be innocent typos, but when the same name comes from multiple hosts more or less at the same time, it is a good indication of something fishy going on. I'm not doing all I could with that info at the moment. Anybody willing to pool dictionaries ? It would be good to have a central logging place for the network police to keep an eye on the bot-nets doing this kind of distributed dictionary attack. Working in isolation on this will not do when the attackers ar using distributed tools. Still plenty of the old-fashioned un-stealthed attacs to show a nice turnover in my list though :-)
It seems that the ssh bruteforces are actually not into any other kinds of exploits, as seen by the firewall-hits column. Also see the link to dshield. This makes this blacklisting basically useless. The only way of knowing that is by blocking the ssh'ers and watching them, which means I had to do this exercise anyway. Might aswell keep it running for the fun of it.
Note: If you want an email feed of the baddies in real-time or have suggestions, send e-mail to hakon<at>alstadheim.priv.no. My box is at the end of an ADSL line, so my bandwidth is limited.