View Single Post
  #7   (View Single Post)  
Old 21st July 2012
kallistoteles kallistoteles is offline
New User
 
Join Date: Jun 2010
Posts: 5
Smile solution

So the solution also become script running every 10 minutes:
Code:
cat /var/log/authlog | grep "sshd" | grep -i "failed" | rev  | cut -d\  -f 4 | grep '[.]' | rev | sort | uniq -c | awk '{ if ($1 >= 10) print $2}' > /etc/ssh_block
and in pf is checking this file...pf.conf:
Code:
table <ssh_block> persist file "/etc/ssh_block"

block drop in from <ssh_block> to any
The authlog is rotated weekly, so this makes that every ip that makes 10 or more failed ssh logins during a week is blocked.
Reply With Quote