> From: "Steven J Lamb" <redhattedsheep@xxxxxxxxx>
>I am trying to create a script to block people using hosts.deny. I realize
> that I should just block everyone and then open access for those whom I know
> I trust but because of the nature of our network this is not possible.
> basically I check log files for login attempts every five minutes and block
> those that attempt to log in more than 3 times that day. this is all working
> great but my problem is this. I sometimes get log entries with the symbolic
> address instead of the ip. how do I convert these in a systematic way and
> not have a problem when I run IPs through it. I'm sure this is an easy task
> but I don't now what tool to use.
>
> thanks for your help
>
> Steven Lamb
Sounds like a job for the "recent" subcommand in iptables. There is a very
good treatise on this at:
http://la-samhna.de/library/brutessh.html
He uses the following script
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set \
> --name SSH -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4
> --rttl \
> --name SSH -j LOG --log-prefix "SSH_brute_force "
> iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 \
> --hitcount 4 --rttl --name SSH -j DROP
to drop those who try to log in four more times to his sshd server. His article
explains the scripts.
I use a similar script. The downside is that I can not enjoy reading some of
the strange "usernames" made up by the current sshd brute force worms,
since the worm gets cut off after only a few attempts to connect.
