aoakley.com
Next in our series of "useful sysadmin geekery that you might not know about but once you do, you wonder how you ever lived without it" is BlockHosts, a rather natty script for *nix boxen which denies access to IP addresses which have got the SSH or FTP password repeatedly wrong recently.
If you're running a server on an external static IP address, no doubt you are familiar with /var/log/messages filling up with dictionary password attacks, particuarly for common users such as root. BlockHosts, by default, allows only 7 failed attempts per 12 hour period for SSH and ProFTP; it can also be adapted for use with other daemen (although the latest release seems to hang with VSFTP). And best of all, it is proper, proper freeware - Public Domain - none of this impenetrable licence malarkey.
BlockHosts runs automatically when SSHd or ProFTPd are called, there is no need for a cron job. However if you prefer a cron-based solution, there is the venerable DenyHosts script instead. Since my attackers have easily got through 300+ attempts in half an hour, I didn't feel a cron-based solution was suitable; I don't want a log parser running every couple of minutes unless the machine is actually being attacked.
Public Domain - Andrew Oakley - 2006-02-14
