[PATCH 0/1] *** SUBJECT HERE ***

[Thorsten Glaser]

On Thu, 12 Mar 2020, Christoph Anton Mitterer wrote:

> IMO, the idea itself sounds not the best... one must assume that such
> invoked programs are not written "safe"... and thus an attacker could
> potentially cause the system to run such programs a huge number of
> times.

As for the original problem… I have this running under daemontools:

#!/bin/mksh
exec >/dev/null
exec 2>/dev/null
tail -f /var/log/messages | while IFS= read -r line; do
	[[ $line = *sshd*@(Failed password for ?(invalid user )@(root|sync|admin|oracle|pi|setup|test|testuser|ubnt) from)* ]] || continue
	line=${line#*for ?(invalid user )@(root|sync|admin|oracle|pi|setup|test|testuser|ubnt) from }
	line=${line%% *}
	[[ $line = +([0-9]).+([0-9]).+([0-9]).+([0-9]) ]] || continue
	x=$(pfctl -t theo -T add "$line" 2>&1)
	logger -t sshnuke "Blocking '$line': $x"
done

The pf table named “theo” is a “block everything” table.
The list of account names which trigger blocking gets
updated every once in a while. This currently only works
on Legacy IP but updating it to also support IP should be
trivial. It blocks after the first attempt, which is why
I only catch known-bad account names, not typos. Getting
back in if you accidentally blocked yourself is outside
of the scope of this. You’ll need tail -F for GNU systems.

bye,
//mirabilos
-- 
„Cool, /usr/share/doc/mksh/examples/uhr.gz ist ja ein Grund,
mksh auf jedem System zu installieren.“
	-- XTaran auf der OpenRheinRuhr, ganz begeistert
(EN: “[…]uhr.gz is a reason to install mksh on every system.”)