A set of scripts and docs to anti ssh crack attempts behaviour.

One day, I found that my server logged a lot of ssh connect attempts,of course not by myself. So, this script borned

• ipset, which is a userspace binary to manipulate a hash map in kernel

install: just yum install -y ipset

• iptables. almost all linux server have already installed this tool-set

• iptables-fw.sh

Assume you will copy it into /etc/iptables-fw.sh It is very easy, notes omitted. ^_^

• anti-ssh-crack.sh

Assume you will copy it into /etc/ipset/anti-ssh-crack.sh

The script read /var/log/secure log file which is produced by sshd,then:

- extract recent logs (today for now. u can modify it easily)
- collect out the remote ip match `Invalid user` line or `Failed password` line
- count the occurence of each individual ip 
- set the ip that occured more than 10 times, into ipset named with `anti-ssh-crack`

• run the /etc/ipset/anti-ssh-crack.sh.

To work continually , modify crontab, append one line : * * * * * /etc/ipset/anti-ssh-crack.sh >/dev/null 2>&1

• check it! run ipset list anti-ssh-crack

** CAUTION: ** be sure your ip is not in the list. run cmd last to find your self.

• start iptables: /etc/iptables-fw.sh

** TIPS:** if u ping the ip in the ipset-list, u will find ping says "not permitted", that means it works!. you can make it pingable just by delete the OUTPUT rule in iptables-fw.sh.

• enjoy a cup of coffee, than check your exploit! (by iptables -nvL)

the -v will make the counter displayed for each iptables rule.