[KLUG Members] auto-nullrouting

[Jamie McCarthy]

Hi,

It's a fact of life that any machine exposed to the internet gets
brute-force password attacks happening pretty much constantly.  The
attacks try different passwords against common usernames over and
over.  What shows up in the syslog for my Debian machine is this:

Nov 22 18:14:28 localhost sshd[17004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
Nov 22 18:14:30 localhost sshd[17004]: Failed password for invalid user db from 200.93.221.165 port 40865 ssh2
Nov 22 18:14:31 localhost sshd[17007]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
Nov 22 18:14:33 localhost sshd[17007]: Failed password for invalid user anita from 200.93.221.165 port 41264 ssh2
Nov 22 18:14:35 localhost sshd[17010]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
Nov 22 18:14:37 localhost sshd[17010]: Failed password for invalid user test from 200.93.221.165 port 41637 ssh2
Nov 22 18:14:40 localhost sshd[17013]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.93.221.165
Nov 22 18:14:42 localhost sshd[17013]: Failed password for invalid user bind from 200.93.221.165 port 42095 ssh2

I always use very strong passwords, but I have a few users on this
machine who might not, so I'd like to automatically detect this
kind of attack and reject all traffic from and to that IP number
for a few hours.  It doesn't have to respond instantaneously or
anything:  within a few minutes is fine.

(a) Anyone know of a Debian package that does this?

(b) If not, does anyone have a favorite way to build this behavior
using standard tools?  I could pretty easily write a script to tail
the log and permanently ban such IPs, but for the sake of a clean
routing table I'd rather the IPs get unbanned after a few hours,
which is a somewhat more difficult project.
-- 
  Jamie McCarthy
 http://mccarthy.vg/
  jamie at mccarthy.vg