For pretty much as long as I’ve had SSH enabled on my Mac Pro it’s been under occasional attacks from machines trying to connect via SSH. About two months ago I noticed in my logs that the illicit activity had stepped up considerably. Instead of a few attempts with a handful of user names from one IP I was now being hit continuously (at the peak of it near 1000 attempts an hour) from what seemed to be a different IP each time, with the user name incrementing by one character. It was obvious that this was the work of a large botnet.

After doing a bit of digging in my logs I discovered that there were roughly 300 or so unique IPs hitting me. A few Google searches later and I discovered sshblack. It’s a Perl based log monitor that watches your SSH log (/var/log/secure.log for those of you running OS X) for invalid attempts and after X number of failures in Y amount of time it adds the IP to your firewall deny list for Z number of days. The program was originally written to work with ipchains, but OS X uses IPFW2, so some minor modifications were necessary. Since I was already playing around in the files I decided I’d modify the logging sections to take advantage of the built in syslog system in OS X instead of just printing out directly to a log file.

I’ll be posting up my modifications as well as some instructions on how to get it all working on my code page in the next couple days once I’ve cleaned it up.