For pretty much as long as I’ve had SSH enabled on my Mac Pro it’s been under occasional attacks from machines trying to connect via SSH. About two months ago I noticed in my logs that the illicit activity had stepped up considerably. Instead of a few attempts with a handful of user names from one IP I was now being hit continuously (at the peak of it near 1000 attempts an hour) from what seemed to be a different IP each time, with the user name incrementing by one character. It was obvious that this was the work of a large botnet.

After doing a bit of digging in my logs I discovered that there were roughly 300 or so unique IPs hitting me. A few Google searches later and I discovered sshblack. It’s a Perl based log monitor that watches your SSH log (/var/log/secure.log for those of you running OS X) for invalid attempts and after X number of failures in Y amount of time it adds the IP to your firewall deny list for Z number of days. The program was originally written to work with ipchains, but OS X uses IPFW2, so some minor modifications were necessary. Since I was already playing around in the files I decided I’d modify the logging sections to take advantage of the built in syslog system in OS X instead of just printing out directly to a log file.

I’ll be posting up my modifications as well as some instructions on how to get it all working on my code page in the next couple days once I’ve cleaned it up.

Grab a seat. Stay a while. There’s not much here yet, but there will be.

c0dedbad.com will primarily be a home for any coding I do, such as my Categorical Links Page plugin for Wordpress and my still-in-the-planning-stages firewall log graphing tool, to be written in perl.

I will also be posting here about IT security and information assurance, as it is one of my primary interests and my current career path.

There’s a pretty good chance that some random rambling will happen from time to time as well.

Want to know more about me and this site? Check out the about page. Don’t want to know anything about me and the site? Read it anyway. You know you don’t have anything better to do.