Note to LEAF users on ssh logins

Wed Mar 2 23:59:25 PST 2005

:However, since it's still a popular question on lists (I've heard
:several questions about it recently, actually): would you post this
:script somewhere so I can refer people to it when they ask? This is
:usually the first thing asked for :)
:
:--Devon

/*
 * SSHLOCKOUT.C
 *
 * Use: pipe syslog auth output to this program.  e.g. in /etc/syslog.conf:
 *
 *  auth.info;authpriv.info                         /var/log/auth.log
 *  auth.info;authpriv.info                         |exec /root/adm/sshlockout
 *
 * Detects failed ssh login attempts and maps out the originating IP
 * using IPFW.
 *
 * *VERY* simplistic.  ipfw entries do not timeout, duplicate entries may
 * occur (though normally not since ssh won't see new connections from
 * the IP otherwise), there are no checks made for local IPs or nets, 
 * or for prior successful logins, etc.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdarg.h>
#include <syslog.h>

static void lockout(char *str);

int
main(int ac, char **av)
{
    char buf[1024];
    char *str;

    openlog("sshlockout", LOG_PID|LOG_CONS, LOG_AUTH);
    syslog(LOG_ERR, "sshlockout starting up");
    freopen("/dev/null", "w", stdout);
    freopen("/dev/null", "w", stderr);

    while (fgets(buf, sizeof(buf), stdin) != NULL) {
	if (strstr(buf, "sshd") == NULL)
	    continue;
	if ((str = strstr(buf, "Failed password for root from")) != NULL ||
	    (str = strstr(buf, "Failed password for admin from")) != NULL
	) {
	    while (*str && (*str < '0' || *str > '9'))
		++str;
	    lockout(str);
	    continue;
	}
	if ((str = strstr(buf, "Failed password for invalid user")) != NULL) {
	    str += 32;
	    while (*str == ' ')
		++str;
	    while (*str && *str != ' ')
		++str;
	    if (strncmp(str, " from", 5) == 0)
		lockout(str + 5);
	    continue;
	}
	if ((str = strstr(buf, "Illegal user")) != NULL) {
	    str += 12;
	    while (*str == ' ')
		++str;
	    while (*str && *str != ' ')
		++str;
	    if (strncmp(str, " from", 5) == 0)
		lockout(str + 5);
	}
    }
    syslog(LOG_ERR, "sshlockout exiting");
    return(0);
}

static void
lockout(char *str)
{
    int n1, n2, n3, n4;
    char buf[256];

    if (sscanf(str, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) {
	syslog(LOG_ERR, "Detected Illegal ssh login attempt, locking out %d.%d.%d.%d\n", n1, n2, n3, n4);
	snprintf(buf, sizeof(buf), "ipfw add 2100 deny tcp from %d.%d.%d.%d to me 22", n1, n2, n3, n4);
	system(buf);
    }
}