SSH Scanner Blocker
This little script tries to help blocking the annoying attacks performed against ssh services all over the world since summer 2004. The attacks are not real ones, it is a simple scanner that tries to log in using common username/password combos, aswell as passwordless accounts. The script uses the power of the pf packet filter from the OpenBSD Project, using it's table feature to add hosts to a blocked list if the ip address o f the host is found on the authentication log trying to log in as an unauthorized user.
#!/usr/bin/env python # -*- Python -*- # # made by Francisco de Borja Lopez Rio (Wu) - <firstname.lastname@example.org> # http://www.e-shell.org # # Mon Oct 18 03:52:27 CEST 2004 """ ssh_blocker This little script tries to help blocking the annoying attacks performed against ssh services all over the world since summer 2004. The attacks are not real ones, it is a simple scanner that tries to log in using common username/password combos, aswell as passwordless accounts. The script is dividen into this parts: - Variable definition, here some variables used later on the script are set, like the path to the pfctl utility or the name of the table used inside pf to block all the ip addresses. - Get infected ips, here the authlog log file is checked in order to get a list of infected ip addresses that have had tried to log in using the ssh scanner. Those ip addresses are stored on a list. - Get the blocked ip addresses with the pfctl tool, this is helpful to not add more than once the same ip address to the banned list. - Check the infected list with the blocked one, each ip infected ip address that is not blocked gets blocked inmediatly. """ import os # Variable definition. pfctl = "/sbin/pfctl" pf_conf = "/etc/pf.conf" pf_table = "sshscan" authlog_path = "/var/log/authlog" infected_ips =  # Read authlog, searching for infected ip addreses print 'Reading the log - ', authlog_path, '\n' authlog = file(authlog_path, 'r') authlog_line = '-' while authlog_line != '': if 'Failed password for invalid user' in authlog_line: ip = authlog_line.split('from').split('port').strip(' ') if ip not in infected_ips: print 'Infected host detected - ', ip infected_ips.append(ip) authlog_line = authlog.readline() authlog.close() # Use pfctl to get the ip addreses already blocked print '\nReading the table of blocked hosts - %s -t%s -T show\n' % (pfctl, pf_table) pipe = os.popen('%s -t%s -T show' % (pfctl, pf_table)) blocked_ips = pipe.read().split('\n') pipe.close() # clean the list, removing unneeded blank spaces for i in range(len(blocked_ips)): blocked_ips[i] = blocked_ips[i].strip(' ') # go through the list of infected ips, checking if the ip address is already blocked # or not. If not, add the ip address to the table. for ip in infected_ips: if ip in blocked_ips: print ip,' - IP Address already blocked' else: print ip, ' - Adding IP Address to the blocked table' os.popen('%s -t%s -T add %s' % (pfctl, pf_table, ip))