Hi,
I could use a little help with some scripting. My perl/python is rudimentary, and bash not a lot better, but I'm sure this isn't too hard to do...
We get a lot (read thousands a day) of these lines in logs on all the machines we support, including our own:
Jul 6 16:53:24 xxx sshd[1628]: Invalid user chris from 202.202.43.110
It's a script kiddie trying to take advantage of an exploit in SSH. We use key-based authentication only, on SSH V2, so no real risk there, but it's annoying.
What I'd like to do is monitor the logs for such a line (or maybe three on the trot), and immediately do this:
/sbin/route add -host 202.202.43.110 reject
which will lock them out until a restart.
Any help appreciated!
Cheers, Laurie.