#! /bin/sh
# Autor: Michael Bienia <michael@vorlon.ping.de>
# nach einer Idee von http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks

IPT=/sbin/iptables
DEV=servernet2
PING_NETZ=83.97.48.0/21

test -x $IPT || exit 0

_start () {

	$IPT -N SSH_BADGUYS
	$IPT -A SSH_BADGUYS -m recent --name ssh_badguys --set
	$IPT -A SSH_BADGUYS -j LOG --log-prefix "SSH scanner detected: "
	$IPT -A SSH_BADGUYS -j REJECT --reject-with icmp-admin-prohibited
	
	$IPT -A INPUT -i $DEV -p tcp --dport 22 -s $PING_NETZ -m state --state NEW -j ACCEPT
	$IPT -A INPUT -i $DEV -p tcp --dport 22 -m state --state NEW -m recent --name ssh_badguys --update --seconds 120 -j REJECT --reject-with icmp-admin-prohibited
	$IPT -A INPUT -i $DEV -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh
	$IPT -A INPUT -i $DEV -p tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 5 --name ssh -j SSH_BADGUYS
}

_stop () {
	# Vorsicht: löscht auch andere Regeln
	#$IPT -F
	#$IPT -X SSH_BADGUYS
	:
}

case "$1" in
	start)
		echo -n "Starting SSH brute force blocker: "
		_start
		echo "done."
		;;
	stop)
		echo -n "Stopping SSH brute force blocker: "
		_stop
		echo "done."
		;;
	restart)
		echo -n "Restarting SSH brute force blocker: "
		_stop
		_start
		echo "done."
		;;
	status)
		if [ -r /proc/net/ipt_recent/ssh_badguys ]; then
			cat /proc/net/ipt_recent/ssh_badguys
		fi
		;;
	*)
		echo "Usage: $0 {start|stop|restart|status}" >&2
		exit 1
		;;
esac

exit 0