Hi Nick
I managed to get it working like this..
I am mainly writing this also if other users might benefit from it :-)
In /etc/pf.conf I added only the following line:
block quick on $ext_if inet proto { tcp udp } from <sshdhackers> to $ext_if
I then placed the following in /root/swatchrc:
watchfor /Invalid user/
[EMAIL PROTECTED], --subject=Hacking alert! We have an illegal
login attempt!
exec pfctl -t sshdhackers -T add $10
This means that I will get an email notification plus pfctl will add the
illegal IP to the sshdhackers tabel.
In my case I only want to block illegal users since I am using
AllowUsers with SSHD, and because I don't want to risk blocking someone
who might have forgotten his/hers password. This could be extended to
block the user if he or she fails at X attempts. Swatch then needs to be
looking for "Failed password for USER" where user is the right username.
This actually is a good idea to block in case some script kid gets hes
hands on the right username.
In /etc/rc.local I have placed the following line:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog
If one wants to see the IP in sshdhackers it can be done with:
pfctl -t sshdhackers -T show
And if one needs to delete an IP:
pfctl -t sshdhackers -T delete xxx.xxx.xxx.xxx
Where xxx.xxx.xxx.xxx is the IP.
To get swatch to add the illegal entry to it's own logging file say
/root/swatchlog (as Nick used) I add this entry in /root/swatchrc after
the "exec pfctl" line:
exec echo $0 >> /root/swatchlog
And if you only want the IP to be logged:
exec echo $10 >> /root/swatchlog
In case someone don't know: $10 means the tenth word in the line (which
in authlog is the IP).
Hope others might benefit.
Cheers.
Rico.
