Just a few random comments from another set of eyes:
#!/usr/bin/perl # This script watches the /var/log/secure
So it runs as root, but you're not using taint mode. No bugs at first sight, but you never know.
my @safe = qw/ 192.168.0.1 /; [Some code] my @rejects;
Why not define @rejects just under my @safe since it serves a similar purpose?
next unless $line =~ /Failed password/ig;
If I were you, I'd tight that regex a little more to avoid false positives, althought that has the drawback that maybe in a future version of the sshd daemon, the message about failed login attempts changes and suddenly you don't seem to be attacked anymore ;^). Also, why /ig?
if ( !defined( $db{$ip} ) ) { push ( @{ $db{$ip} }, $epoch ); } else { push ( @{ $db{$ip} }, $epoch );
The push could be moved outside the if. Plus, is there more information stored in $db{$ip}? You seem to store only the IP, so there's no need to have a hash and use push and undef below. Just $db{$ip} = $epoch.
my @safe = @_; foreach (@safe) { return 1 if $ip eq $_; } return 0;
If you like compact code, try: return !!grep { $ip eq $_ } @_ ## tested
sub isRejected {
Either rename this to rejected, or safe to isSafe.
foreach (@rejects) {
Same grep as before.
--
David Serrano
In reply to Re: SSH Failed Attempt Monitor
by Hue-Bond
in thread SSH Failed Attempt Monitor
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |