Every few days I cat my logs on all my systems to see if anything should be fixed, repaired, patched, removed and whatnot. It only takes an hour or so, and I've come across a enough problems that I otherwise would not have noticed that only took a minute to fix, and helped the overall status of my system.
Well, I had a simple firewall put up with PF on my FreeBSD box, but it didn't do anything besides filter a couple ports and then block everything else. One port open, 22. This allowed this shit to basically spam my logs:
Jul 10 10:55:56 dukkha sshd: Invalid user simona from 184.108.40.206 Jul 10 10:56:01 dukkha sshd: Invalid user annalisa from 220.127.116.11 Jul 10 10:56:04 dukkha sshd: Invalid user diego from 18.104.22.168 Jul 10 10:56:11 dukkha sshd: Invalid user elena from 22.214.171.124 Jul 10 10:56:15 dukkha sshd: Invalid user luciano from 126.96.36.199 Jul 10 10:56:18 dukkha sshd: Invalid user marilena from 188.8.131.52 Jul 10 10:56:22 dukkha sshd: Invalid user htdocs from 184.108.40.206 Jul 10 10:56:26 dukkha sshd: Invalid user toiawase from 220.127.116.11 Jul 10 10:56:31 dukkha sshd: Invalid user storm from 18.104.22.168 Jul 10 10:56:35 dukkha sshd: Invalid user sysadmin from 22.214.171.124 Jul 10 10:56:38 dukkha sshd: Invalid user blitzcat from 126.96.36.199 Jul 10 10:56:42 dukkha sshd: Invalid user circ from 188.8.131.52 Jul 10 10:56:46 dukkha sshd: Invalid user ginny from 184.108.40.206 Jul 10 10:56:49 dukkha sshd: Invalid user ftp from 220.127.116.11
which, really isn't anything. But, knowing me, I decided to fix it. I wanted to blacklist the IPs automatically, but I'm really not a good programmer. Even for a simple cat/grep log script. But Google helps me out once again. I came across this article by "valiantsoul" (if that is his/her handle, who knows) which seems to be a rather old article. SSH Brute Force Blocker with PF on FreeBSD
Basically, this changes one thing. Whenever the "/var/log/auth.log" file gets written to, a simple Perl script is run. All the script does is take the log, and with a bit of regex (god I love Perl Regular Expressions) looks to see if there are any "Invalid user $USER from $IPADDRESS" lines, or "Did not receive identification string from $IPADDRESS" lines, and then takes those IP addresses and adds them into a blacklist file, which is then addded to a
welp, thats about it. I might end up re-hosting the code. I get worried when sites are hosted by earthlink. Speaking of, the local alt-weekly paper was advertising an upcoming event where the website linked was to a geocities page or some shit. Hosting is cheap as fuck, I really don't understand why people cant spring for 10 bux and change for a domainname and hosting for a couple months to a year.