1.\" Copyright (c) 2015 The DragonFly Project. All rights reserved. 2.\" 3.\" This code is derived from software contributed to The DragonFly Project 4.\" by Matthew Dillon <dillon@backplane.com> 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in 14.\" the documentation and/or other materials provided with the 15.\" distribution. 16.\" 3. Neither the name of The DragonFly Project nor the names of its 17.\" contributors may be used to endorse or promote products derived 18.\" from this software without specific, prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25.\" INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 26.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 30.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.Dd January 1, 2015 34.Dt SSHLOCKOUT 8 35.Os 36.Sh NAME 37.Nm sshlockout 38.Nd utility to block port 22 on preauth failures 39.Sh SYNOPSIS 40.Cd auth.info;authpriv.info |exec /usr/sbin/sshlockout 41.Cd 3 3 * * * ipfw delete 2100 42.Sh DESCRIPTION 43This program is generally installed in 44.Pa /etc/syslog.conf 45as a pipe to parse the 46.Xr sshd 8 47demons error log in realtime. 48In addition, a root crontab entry should generally be created to clean 49out 50.Xr ipfw 8 51rule 2100 at least once a day. 52The 53.Xr ipfw 8 54module must be loaded and operational as well. 55.Pp 56This program will monitor the ssh syslog output and keep track of attempts 57to login to unknown users as well as preauth failures. 58If 5 attempts fail in any one hour period, a permanent entry is added to 59rule 2100 in ipfw to block port 22 from the associated IP address. 60The cron entry you create cleans the block list out typically once a day. 61.Pp 62This program generally limits brute-force attempts to break into a machine 63via ssh. 64.Sh NOTICE 65This program is still a work in progress. 66Currently this program only operates on IPV4 addresses. 67.Sh SEE ALSO 68.Xr ssh 1 , 69.Xr sshd 8 , 70.Xr ipfw 8 , 71.Xr syslog.conf 5 72.Sh HISTORY 73The 74.Nm 75utility first appeared in 76.Dx 4.1 . 77.Sh AUTHORS 78.An Matthew Dillon Aq Mt dillon@backplane.com 79