[tlug] Blocking bad sshd bruteforce attempt

["Hung Vu Nguyen" <vuhung16plus@example.com>]

Hi all,

I have openssh 3.7p1 running  on port 22 in Debian ( quite old
version). The kernel is 2.4.30 with openwall patched. I also have
logwatch and logcheck running and they send me security report
everyday.

> From logcheck:

Security Events
=-=-=-=-=-=-=-=
Jul 11 07:02:05 aoclife sshd[24861]: Illegal user sysadmin from 202.158.162.53
Jul 11 07:02:05 aoclife sshd[24861]: Failed password for illegal user
sysadmin from 202.158.162.53 port 37391 ssh2
Jul 11 07:02:05 aoclife sshd[24902]: Illegal user sysadmin from 202.158.162.53

I don't worry about that because 'he' is just bruteforcing me. My sshd
is secured /etc/hosts.allow .

And from logwatch:

 hidekazu/password from 211.96.27.90: 1 Time(s)
 hirofumi/password from 211.96.27.90: 1 Time(s)
 hirohisa/password from 211.96.27.90: 1 Time(s)
 hirokazu/password from 211.96.27.90: 1 Time(s)
 hiroshi/password from 211.96.27.90: 1 Time(s)
 hisashi/password from 211.96.27.90: 1 Time(s)
 hitoshi/password from 211.96.27.90: 1 Time(s)

japanese usernames :D. Because my server is running an DDNS with .jp
in the end so I think that it is not an automated bruteforce attempt.
And I want to block such kind of attempt *automatically*. If we can
block those IPs with iptables -j REJECT, then the log will be much
cleaner ( 250KB each time is so annoying ).

I remember that someone in TLUG has posted a ruby (?) script to the
list but I couldn't find the post in the archives.

Please share your ideas.

--
Best Regards,
Nguyen Hung Vu
vuhung16plus{remove}@example.com