Brutelock is an open source program that actively monitors various system logs and immediately blocks malicious IPs trying to attack your server.
Brutelock not only protects against ssh attacks but also other common systems such as ftp, pop and imap. It has an extendible rules format that allows you to monitor an unlimited number of other services by simply supplying the log file and a simple regex search pattern.
There are just a few steps to install the Brutelock agent:
Download Brutelock agent, and save to /usr/local/.
tar -xjvf brutelock-version_number.tar.bz2
Edit the new configuration file (/usr/local/brutelock/conf/brutelock.conf) with your subscription key *.
Also edit the path to your ssh log in the configuration file if you need to. If you are unsure where that is for your system, please consult the README included with the Brutelock source. Uncomment any of the other services you wish to protect as well such as ftp, pop, and imap.
Add any IP’s to the /usr/local/brutelock/conf/whitelist file (each on separate lines) for any IP’s that Brutelock should never lock out **.
Add a separate chain to iptables:
/sbin/iptables -N Brutelock-Firewall-INPUT
/sbin/iptables -I INPUT -j Brutelock-Firewall-INPUT
Start Brutelock daemon:
Sit back and watch the number of failed login attempts drastically diminish from your logs.
* – If you do not have a subscription key, make sure to sign-up to receive yours. You can choose the free option which allows Brutelock to actively block brute force attacks or one of the paid subscriptions to allow Brutelock to proactively protect your servers by receiving constant updates from the Brutelock service. Visit the Brutelock website for more information.
** – In addition to the localhost address (127.0.0.1) you should also enter the server’s IP at a minimum.