#!/usr/bin/perl -w
#
# Watch syslog for ssh, ftp or dovecot attacks. Call like this:
# sshwatch.pl </var/log/messages
# or:
# tail -f /var/log/messages /var/log/mail | sshwatch.pl

# command to block an ip address. %s is replaced by the ip adress.
$block_cmd = "/sbin/iptables -I INPUT -s %s -j DROP";

# command to unblock an ip address. %s is replaced by the ip adress.
$unblock_cmd = "/sbin/iptables -D INPUT -s %s -j DROP";

# time to block an address (seconds).
$block_time = 3600;

# time to pause if end of messages is reached (seconds).
$pause_time = 5;

# open syslog.
use Unix::Syslog;
Unix::Syslog::openlog("sshwatch", 0, Unix::Syslog::LOG_LOCAL5);

# make stdin non-blocking.
use Fcntl;
$flags = 0;
fcntl(STDIN, F_GETFL, $flags);
$flags |= O_NONBLOCK;
fcntl(STDIN, F_SETFL, $flags);

Unix::Syslog::syslog(Unix::Syslog::LOG_INFO,
    "skipping to end of file...");
while ($line = <STDIN>) {
}

while (1) {
    sleep $pause_time;
    $t = time();
    foreach $ip (keys(%times)) {
	$age = $t - $times{$ip};
	if ($age > $block_time) {
	    if (defined($blocked{$ip})) {
		Unix::Syslog::syslog(Unix::Syslog::LOG_INFO,
		    "$ip blocked for more than $block_time seconds, unblocking");
		$cmd = sprintf $unblock_cmd, $ip;
		Unix::Syslog::syslog(Unix::Syslog::LOG_INFO, $cmd);
		system $cmd;
		delete $blocked{$ip};
	    } else {
		Unix::Syslog::syslog(Unix::Syslog::LOG_INFO,
		    "forgetting $tries{$ip} failed logins from $ip after $block_time seconds")
	    }
	    delete $times{$ip};
	    delete $tries{$ip};
	}
    }
    while ($line = <STDIN>) {
	chomp($line);
	$ip = "";
	if ($line =~ /sshd.*Failed password for.*from/) {
	    ($ip = $line) =~ s/.*from ([^ ]*) .*/$1/;
	} elsif ($line =~ /dovecot.*auth failed/) {
	    ($ip = $line) =~ s/.*rip=([^,]*),.*/$1/;
	} elsif ($line =~ /ftpd.*Authentication failed/) {
	    ($ip = $line) =~ s/.*\@([^\)]*)\).*/$1/;
	}
	if ($ip ne "") {
	    $times{$ip} = $t;
	    if (defined($tries{$ip})) {
		$tries{$ip}++;
	    } else {
		$tries{$ip} = 1;
	    }
	    Unix::Syslog::syslog(Unix::Syslog::LOG_INFO,
		"possible attack from $ip: $tries{$ip} failed logins");
	    if ($tries{$ip} == 6) {
		Unix::Syslog::syslog(Unix::Syslog::LOG_INFO,
		    "more than 5 failed logins from $ip, blocking");
		$cmd = sprintf $block_cmd, $ip;
		Unix::Syslog::syslog(Unix::Syslog::LOG_INFO, $cmd);
		system $cmd;
		$blocked{$ip} = $t;
	    }
	}
    }
}