No, this is not an article about German motorways :)
I, like many before me, have been trying to find a solution to the age-old problem of automagically banning IP addresses trying dictionary attacks against my boxes. I wanted something small and responsive that could interface systemd directly. Existing solutions, like Fail2ban and DenyHosts, despite being widely used and recognized, always seemed to fall short for me for one reason or another, so I decided to write a small piece of software that would integrate nicely into my environment (i.e. shorewall).
Meet sshwsd, a tiny-memory-footprint C program that does just that: scans systemd's journal in search of break-in attempts and builds an ipset that is later fed to shorewall to do its thing. This way, I can take full advantage of best-of-breed software to accomplish the task without unnecessary duplications.
The program is still in beta (GPLv3). After compiling and installing it, a new ipset can be created with
# ipset -N sshwsd iphash
Activation with shorewall is as simple as adding the following rule in /etc/shorewall/blrules:
#ACTION SOURCE DEST
DROP net:+sshwsd all
Conversely, if plain iptables are to be used,
# iptables -A INPUT -m set --match-set sshwsd src -j DROP
will take care of activation. More information is available in the INSTALL file included. One of the advantages of using ipset is that it supports lifting bans after a defined period of time out of the box (see ipset timeout option).
Sshwsd lacks many features (e.g. does not support IPv6, it only works for ssh). Additionally, since it must manage the set, must be insecurely run as root. Nevertheless, as attacks have been drastically cut down from thousands to about a dozen a day, it is proving to be quite an efficient tool in keeping my boxes clean and responsive.
Scripts to start the service with systemd and automate the creation of the set are provided in the contrib directory.