Re: SSH bruteforce on its way...

Heres a perl script I made to help solve my problem.  I have been seeing these 
the past 2 years at least. This works on debian sarge (ssh 3.8). Can easily be 
changed for other ssh versions. Run like this...

tail -n0 -F /var/log/auth.log |logflow.pl |awk -W interactive '{ print "sshd: 
"$1 }' >> /etc/hosts.deny 2>&1 &

and here is the logflow.pl...

#!/usr/bin/perl

use Regexp::Common qw /net/;

# ips that shouldn't be banned
@safe = ('192.168.51.1','1.2.3.4');


# number of illegal users received in 1 minute that will trigger a ban
$thresh = 4;

while (<STDIN>) {
 if ($_ !~ /Illegal user/) { next; }
 @line = split(' ', $_);
 @hourmin = split(':', @line[2]);
 if ("@line[0] @line[1] @hourmin[0] @hourmin[1] @line[9]" eq $remember && 
grep(/^@line[9]$/, @bans) eq 0 && @line[9] =~ /^$RE{net}{IPv4}$/) {
  $found++;
  if ($found eq ($thresh - 1)) {
   print "@line[9]\n";
   $| = 1;
   push(@bans, @line[9]);
  }
 } else {
  $found=0;
 }
 $remember = "@line[0] @line[1] @hourmin[0] @hourmin[1] @line[9]";
}