I became distracted by the constant stream of SSH authentication failures going past while tailing system logs in ElasticSearch, so I made this tool to firewall off repeat offenders.
I have multiple systems sending syslog to ElasticSearch for centralised logging. I believe that every ssh-capable public IP will get a continuous stream of SSH authentication attempts for common username and password combinations. These didn't bother me until I had centralised logging, and now it does.
My Linux systems all use signed SSH keys for authentication so I'm not at all
worried about password attempts, they are just distracting. I have a Ubiquiti
EdgeRouter X as my gateway, so I thought this would be the best place to add
dynamic firewall rules for IPs that repeatedly attempt authentication for
unknown / bad users (especially
This tool (rootblocker) runs on my Kubernetes cluster but that's not required at all.
It starts off reading a configuration file (
config.yaml) that specifies the
ElasticSearch connection details including the search query, as well as the
EdgeRouter details. The code should be flexible enough to perform the same
operations on a different device. If anyone wants to modify it, I'd be happy to
The code maintains a list of offending IP addresses. Once a threshold of
failures is reached, that IP address is added to a
rootblocker address group
on the router, which has a corresponding firewall rule dropping any matching
packets. After 1 hour, the address is dropped from the address group, keeping
$ git clone https://github.com/dparrish/rootblocker $ cd rootblocker $ go build . $ $EDITOR config.yaml # Add your ElasticSearch and router details $ ./rootblocker --config config.yaml --test
--test flag when you've decided it does the right thing.
[ Source ]