SSHblock

SSHblock is a simple set of programs designed to block SSH dictionary 
attacks. It tracks how many times a given IP address has been previously
blocked, and uses a quadratic increase algorithm to block addresses for
progressively longer periods of time after each attack. 

REQUIREMENTS:

* Linux 2.4 or greater kernel, with iptables
* Perl 5.004 or greater
* Swatch

INSTALLATION:

1) Unpack the distribution tarball and cd into the unpacked directory.
2) Run the install.pl script; it will check that you have all prerequisites 
   installed, and prompt you interactively to see if you want to customize 
   the installation.
3) That's it! You're done.

FEATURES:

* Logs activity using syslogd
* Allows whitelisting of IP addresses that should never be blocked.
* Can send email notifications when an address is blocked.
* Increases blocking time for "repeat offender" addresses.

HOW IT WORKS:

SSHblock uses swatch to watch your /var/log/messages file for sshd's 
"failed password" messages. When it sees too many in quick succession
from the same IP address, it adds an iptables rule to drop packets bound
for port 22, and records that action in a history file. An hourly cron
job is responsible for unblocking addresses, based on the history
file's data.

MORE INFORMATION:

http://kai.mactane.org/software/sshblock

LICENSING:

Copyright 2009 Kagan D. MacTane

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

