-- David Richerby on blacklisting blacklists
I don't like worms and other crap that hammers my ssh servers with nonexistant users and/or lousy passwords. Not that they would get in anyway, but it still pisses me off sufficiently to do something about it. This script blams all such suckers for a while. Share and enjoy.
The script tails a logfile (preferrably something low-volume like your auth.log) and looks for failed ssh entries. If the other side is not whitelisted and tries too often in a time window, an iptables command is issued. After a fair while the block is removed. Obviously all this is adjustable and I'll certainly extend the setup for other annoyances, too.
The idea came from here but that implementation I didn't like very much. The clean tailing of a log (safely across rotations etc.) was snarfed from logtail (part of logcheck) and the parsing of syslog messages came from Parse::Syslog (which doesn't work on your local data, only on full files. Silly thing.)