1.\" Copyright (c) 2015 The DragonFly Project. All rights reserved. 2.\" 3.\" This code is derived from software contributed to The DragonFly Project 4.\" by Matthew Dillon <dillon@backplane.com> 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in 14.\" the documentation and/or other materials provided with the 15.\" distribution. 16.\" 3. Neither the name of The DragonFly Project nor the names of its 17.\" contributors may be used to endorse or promote products derived 18.\" from this software without specific, prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25.\" INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 26.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 30.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.Dd January 1, 2015 34.Dt SSHLOCKOUT 8 35.Os 36.Sh NAME 37.Nm sshlockout 38.Nd utility to block port 22 on preauth failures 39.Sh SYNOPSIS 40.Nm 41.Ar table 42.Cd auth.info;authpriv.info |exec /usr/sbin/sshlockout -pf "lockout" 43.Cd 3 3 * * * pfctl -tlockout -Tflush 44.Sh DESCRIPTION 45This program is generally installed in 46.Pa /etc/syslog.conf 47as a pipe to parse the 48.Xr sshd 8 49demons error log in realtime. 50In addition, a root crontab entry should generally be created to clean 51out the 52.Xr pf 4 53.Ar table 54at least once a day. The 55.Xr pf 4 56module must be loaded and operational as well. 57.Pp 58This program will monitor the ssh syslog output and keep track of attempts 59to login to unknown users as well as preauth failures. 60If 5 attempts fail in any one hour period, a permanent entry is added to the 61.Xr pf 4 62.Ar table 63for the associated IP address. 64You still have to add a rule to 65.Xr pf.conf 5 66to block IP addresses listed in this table. 67The cron entry you create cleans the block list out typically once a day. 68.Pp 69This program generally limits brute-force attempts to break into a machine 70via ssh. 71.Sh NOTICE 72This program is still a work in progress. 73.Sh SEE ALSO 74.Xr ssh 1 , 75.Xr pf 4 , 76.Xr syslog.conf 5 , 77.Xr sshd 8 78.Sh HISTORY 79The 80.Nm 81utility first appeared in 82.Dx 4.1 . 83.Sh AUTHORS 84.An Matthew Dillon Aq Mt dillon@backplane.com 85