Automatic blacklist of IP-addresses.

Peter Stuge stuge-openssh-unix-dev at cdy.org
Sat Jan 7 04:14:16 EST 2006


On Fri, Jan 06, 2006 at 05:53:06PM +0100, Enrico Weigelt wrote:
> * Peter Stuge <stuge-openssh-unix-dev at cdy.org> schrieb:
> > The recommended way to implement this is to monitor log output
> > from OpenSSH and make appropriate changes to the firewall
> > settings.
> 
> hmm. how could this be implemented ?

I wasn't clear enough. The process that watches the log output from
OpenSSH does the equivalent of your external event handler.

What's important from OpenSSH's point of view is that one piece of
information (failed and succeeded logins) should only be sent out
through one data path (logging) rather than having redundancy within
OpenSSH to send out same data multiple ways.


> We need a way to get the failed attemts to some other process.
> Some external event handler, which gets called on all noticable
> events with appropriate parameters, could help.
> 
> ie. for login fail:
>     
>     $HANDLER login-failed <username> <ip> <auth-method> ...
>     
> succed login
> 
>     $HANDLER login-granted <username> <ip> <auth-method> <tty>

Hook $HANDLER into the syslog system somehow and change (or wrap) it
so that data can arrive on stdin instead of the command line. If
you're running a syslogd that doesn't allow this perhaps syslog-ng
could prove useful since it is quite configurable.


//Peter




More information about the openssh-unix-dev mailing list