Here is a simple little shell script to download the blacklist from sshbl.org and to create a hosts.deny file with it. If your unfamiliar with sshbl.org, sshbl.org maintains a blacklist, that is constantly being updated, with the IP addresses of hosts which tried to bruteforce different hosts located around the world.
sshbl.sh
#!/bin/bash
rm /tmp/base.txt
wget http://www.sshbl.org/lists/base.txt
rm /tmp/base.tmp
cat /tmp/base.txt | grep '[0-9]*[0-9]*[0-9][.][0-9]*[0-9]*[0-9][.][0-9]*[0-9]*[0-9]' | sed 's/^/sshd: /' > /tmp/base.tmp
rm /etc/hosts.deny
cp /tmp/base.tmp /etc/hosts.deny
The above script first deletes any previously downloaded blacklist and then fetches a new one. Next, it removes any previously created temporary file. This temporary file is created by the next command which performs all of the following functions: displays the blacklist, searches it for IP addresses, inserts ‘sshd: ‘ to the beginning of each line, and directs the output to a temporary file. The reason for the inserting of the ‘sshd: ‘ is that this is what is expected in the hosts.deny file. Finally, any previously hosts.deny files are deleted and the new hosts.deny file is copied to the /etc directory.
All that’s left is to schedule this script to run using cron and the entire process will is automated.
This simple script takes just a few minutes to setup. If you’re interested in doing even more to automatically block brutefore attacks against your ssh server take a look at DenyHosts located here. It’s a python script that takes this to next level.
3 Comments so far
Leave a comment
I Smell Packets 
Hi,
why so complicated? 😉
#!/bin/sh
curl http://www.sshbl.org/lists/base.txt 2>/dev/null | sed -n ‘/^[^#]/s/^/sshd: /p’ > /etc/hosts.deny
Comment by sshbl.org January 26, 2010 @ 9:47 pmI did it that way just so if the download fails, you don’t end up with a blank hosts.deny file. It fails on the copy.
Comment by ismellpackets January 26, 2010 @ 11:45 pmYou can now skip the sed’ing:
http://www.sshbl.org/lists/hosts.deny
Comment by sshbl.org March 12, 2010 @ 11:23 am