#!/usr/bin/perl -w

# attack.pl by Stef Caunter October 2005
# run in root's crontab once a minute
# solution for NetBSD with ipf 

$my_ip="1.2.3.4"; # put your external IP in here

# check the sshd log 

open F, "/var/log/authlog" or die "$!\n";

while (<F>){
	if ($_ =~ /^.* Illegal user (\w+) from ([\d\.]+).*$/){
		$count++;
		$IP{$2}++;
	}
	if ($_ =~ /^.* Failed password for (\w+) from ([\d\.]+).*$/){
		$count++;
		$IP{$2}++;
	}
}
close F;

# if we find a login failure block the tcp connection

if($count){
	
	open IPF, ">/etc/ipf.conf" or die "$!\n";
	
	# if you don't have a sophisticated ruleset, this will keep things working
	# you can also pull in your existing ruleset (into an array) first 
	# and just append the new rules after printing them back in

	print IPF "pass in all\n";
	print IPF "pass out all\n";
	for $key (sort(keys %IP)){	
		# whitelist your IP addresses below in if blocks (2 are shown)
		if($key=~/^192.168/){
			next;
		}
		if($key=~/^5.6.7.8/){
			next;
		}
		print IPF "block in quick from $key to $my_ip\n";
	}
	close IPF;

	system ("/etc/rc.d/ipfilter reload");

}

else {
	# can't think of anything else to do here
	exit;
}