The Nunar Reaper
People keep hammering my sshd with false login requests. I wrote this script which I call nunar_reaper.pl that retaliates against the stupidity in favor of a tarpit. The infamous Dave Dellanave helped out with this one. I still need to fend off imaginary user name attacks, but that’s a little harder.
#!/usr/bin/perl open(TAIL, "tail -f /var/log/secure|"); while() { if(/Failed password for root/) { ($ip) = $_ =~ /(\d+\.\d+\.\d+\.\d+)/; system "iptables -A INPUT -i eth0 -s $ip -j DROP" } }
Trackbacks
Use this link to trackback from your own site.
Inspired by your script I wrote the following. At my system root can’t login via ssh, so no real danger on attempts login as root. It’s the other fake usernames that worries me. They might just hit a right combination of username and password. An other thing is that I get messages in /var/log/messages about invalid user names — this it what this script is using. I have not tested it properly yet, so any comments are welcome.
#!/usr/bin/perl
$attempts = 0;
$host = “”;
open(MESSAGES, “tail -f /var/log/messages|”);
while() {
if(/.*Invalid user .* from (.*)$/) {
if ($host == $1) {
$attempts++;
}
else {
$host = $1;
$attempts = 0;
}
if ($attempts > 4) {
system “iptables -A INPUT -i eth0 -s $host -j DROP”;
system “echo \”Blocked $1\” >> /var/log/messages”;
}
}
}