Are you running into problems with IPTABLES SSH brute force protections dropping your shell scripted jobs and locking you out rather than blocking ssh? Here's a suite solution using swatch (also includes a fine IP exclusion and bad guy list to have swatch still work with IPTABLES at the bottom). Full article: http://greyduck.net/greywiki/Swatch_and_SSH Of course you need to get swatch: # yum install swatch # apt-get install swatch This new method doesn't use 'iptables' but rather a script that creates a timed null-route. It's... interesting. We'll see how it pans out. - Credit where it's due: The bulk of this setup originated here: http://home.gagme.com/greg/linux/protect-ssh.php /etc/swatch.conf: watchfor /Failed password for/ exec "/usr/local/sbin/bad_user $1 $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15" /etc/init.d/swatchrc: #!/bin/sh # # swatchrc This shell script takes care of starting and stopping # swatch. # # chkconfig: 2345 81 31 # description: Swatch is a System WATCHdog program that we are # using here to block repeated failed ssh logins. # processname: swatch RETVAL=0 test -x /usr/bin/swatch || exit 0 start(){ echo "Starting swatch" # Spawn a new swatch program /usr/bin/swatch --config-file=/etc/swatch.conf --tail-file=/var/log/secure --pid-file=/var/run/swatch.pid --awk-field-syntax --tail-args '--follow=name -n 0' & echo $PID return $RETVAL } stop () { # stop daemon echo "Stopping swatch:" $PROG kill -9 `cat /var/run/swatch.pid` rm -f /var/run/swatch.pid killall tail return $RETVAL } restart () { stop start RETVAL=$? return $RETVAL } case "$1" in start) start ;; stop) stop ;; restart) restart ;; *) echo "Usage: $0 {start|stop|restart}" RETVAL=1 esac exit $RETVAL /usr/local/sbin/bad_user: #! /bin/bash # IP=`echo $* | sed 's/^.* from //' | awk '{print $1}' | sed 's/::ffff://'` ATTEMPTS=`grep $IP /var/log/secure | grep "Failed password for" | wc -l` if [ $ATTEMPTS -gt 2 ] then route add $IP lo MINUTES=`expr $ATTEMPTS - 2` echo "route del $IP lo 2> /dev/null" | at now +$MINUTES minutes 2>&1 > /tmp/.bad_user.$$ (hostname ; echo $* ; echo "IP=$IP" ; echo "ATTEMPTS=$ATTEMPTS" ; \ echo "Blocking for $MINUTES minutes" ; \ cat /tmp/.bad_user.$$ ) | Mail -s "bad user" root fi rm -f /tmp/.bad_user.$$ That's the gist of it, oddly enough. A "chkconfig --add swatchrc" doesn't hurt either. Some notes: - We 'killall tail' in the 'swatchrc' file because swatch is too stupid to take care of that itself. - Some IP address protection in '/etc/swatch.conf' isn't a bad idea. (Consider this a TODO note.) - If 'tail' obeys its '--follow=name' parameter correctly then issuing 'swatchrc restart' shouldn't be necessary on log rotation. Time will tell. - This configuration is a new implementation as of mid-June 2006. YMMV and so forth. Older Setup Info This older implementation was used on Debian-based rigs at the old office, and relied on using 'iptables' calls to permanently block offending addresses. Configuration details below are being kept partly for historic value and partly to provide hints on ways to improve the current running configuration. Before setting up Swatch-based SSH login protection, we want to do a couple of things to iptables. iptables -N swatch_rejects iptables -I INPUT 5 -j swatch_rejects /etc/init.d/iptables save active We also need to turn off IPv6 on Fedora Core rigs, otherwise Swatch may have a bitch of a time parsing those log entries with all the "::ffff:" crap. (Do I need IPv6 on my server? No? Righto then.) echo "alias net-pf-10 off" >> /etc/modprobe.conf A reboot is required. Dammit. Here are the configs for using Swatch on a Debian-based rig. One, the /etc/swatch.conf file: # Global swatch filter file # To ignore a IP-range - this is your lifeline :) ignore /10\.21\./ #Invalid SSH Login Attempts watchfor /: [iI]nvalid [uU]ser/ # uncomment this to let them fail 3 times #threshold 3:3600 mail addresses=user\@domain.com,subject="SSH:\ Invalid\ User\ Access-IPTables\ Rule\ Added" exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP" exec "echo $10 >> /opt/badlist.txt" And then, the /etc/init.d/swatchrc file: #!/bin/sh #kill any previously running swatch pid - there should be a check in here kill -9 `cat /var/run/swatch.pid` #delete existing pid file rm -f /var/run/swatch.pid #run swatch - watch the wrap /usr/bin/swatch --tail-file=/var/log/auth.log --config-file=/etc/swatch.conf --awk-field-syntax --pid-file=/var/run/swatch.pid --tail-args='--follow=name -n 0' --daemon To check on how well we're doing: iptables -L swatch_rejects -- www.obnosis.com (503)754-4452 "Contradictions do not exist." A. Rand