sshdfilter automatically blocks ssh brute force attacks by reading sshd log output in real time and adding iptables rules based on authentication failures. Block rules are created by logging on with an invalid user name, or wrongly guessing the password for an existing account. Block rules are removed after a week to maintain a small list of blocks. It also comes with a LogWatch filter.
|Operating Systems||POSIX Linux|
Release Notes: Support was added for sshd patterns that span multiple lines. The behavior defaults to using all known sshd patterns. The installer now supports Ubuntu.
Release Notes: The configuration parser and the pattern matching engine were rewritten to provide all the flexibility you could ever want. sshdfilter can now read sshd messages from either sshd -eD (as with previous versions of sshdfilter) or via a named pipe maintained by syslog. Hostname lookup for messages was added for PAM-based systems that show hostnames and never a source IP. ipfw support was added.
Release Notes: Support for CentOS 4.3, Slackware, and Debian Sid was added. A config loading bug where SSHDFILTERRC was ignored was fixed. Man page installation was fixed in install.pl. Typos in the documentation were corrected.
Release Notes: Custom ports and options such as -j REJECT are a configuration option. A hanging email command no longer delays sshdfilter. The result code from system() calls is checked when adding block rules. The SSHD chain name is now a config option, so multiple instances of sshdfilter can have their own chains. Support for multiple configuration files was added. Support for Gentoo and Debian sid was added. The LogWatch installer for Fedora Core 4 was improved. The LogWatch script's compatibility with other versions of LogWatch was improved. Man pages were added for sshdfilter and sshdfilterrc.
Release Notes: Support was added for Suse 10.0 RC 1, CentOS, and Red Hat Enterprise Linux ES release 4. The program now daemonizes like sshd, so it makes a better replacement for sshd in the startup scripts. select() is now used to read sshd output, making repurgetime much more responsive when a small value is given. Email can be sent to someone optionally on block events. More support was added for IPv6 and conversion to IPv4. A typographical bug in IPv6 to IPv4 conversion of 1.4.0 was fixed.