I became distracted by the constant stream of SSH authentication failures going past while tailing system logs in ElasticSearch, so I made this tool to firewall off repeat offenders.

I have multiple systems sending syslog to ElasticSearch for centralised logging. I believe that every ssh-capable public IP will get a continuous stream of SSH authentication attempts for common username and password combinations. These didn't bother me until I had centralised logging, and now it does.

My Linux systems all use signed SSH keys for authentication so I'm not at all worried about password attempts, they are just distracting. I have a Ubiquiti EdgeRouter X as my gateway, so I thought this would be the best place to add dynamic firewall rules for IPs that repeatedly attempt authentication for unknown / bad users (especially root).

This tool (rootblocker) runs on my Kubernetes cluster but that's not required at all.

It starts off reading a configuration file (config.yaml) that specifies the ElasticSearch connection details including the search query, as well as the EdgeRouter details. The code should be flexible enough to perform the same operations on a different device. If anyone wants to modify it, I'd be happy to take changes.

The code maintains a list of offending IP addresses. Once a threshold of failures is reached, that IP address is added to a rootblocker address group on the router, which has a corresponding firewall rule dropping any matching packets. After 1 hour, the address is dropped from the address group, keeping it lean.

How to run it

$ git clone
$ cd rootblocker
$ go build .
$ $EDITOR config.yaml  # Add your ElasticSearch and router details
$ ./rootblocker --config config.yaml --test

Remove the --test flag when you've decided it does the right thing.

[ Source ]