Yesterday I posted about implementing rate limiting on new connections. Today I'm going to cover how to take it a step further and watch failed login attempts and automatically block an IP address for a day.
First, you'll want to download BlockHosts from A C Zoom. It's a python script that can be run every time someone attempts to connect that will watch your log files and dynamically create your /etc/hosts.allow file to keep out the nasties.
So, in a traditional step by step method, here's what to do:
sudo su - wget http://www.aczoom.com/tools/blockhosts/BlockHosts-2.4.0.tar.gz tar -zxvf BlockHosts* cd BlockHosts* python setup.py install
Now you'll want to configure the /etc/blockhosts.cfg file, so open it with your favorite editor and make the following changes:
Look for "WHITELIST = ". You might want to add your own local network to this just in case.
Look for "LOGFILES" and uncomment the one that says:
LOGFILES = [ "/var/log/auth.log", ]
Look for "[mail]" and plug in your setup if you want it to send you an email periodically telling you what action has been taken.
Save and close that.
