>So it runs as root, but you're not using taint mode. No bugs at first sight, but you never know.

True, however it should run as is in taint mode. The only input per say is the entry in the log file. The IP address is pulled out with a regex and $1 is reassigned to $ip.. Therefor when system() is called, its taint free and shouldn't ever be an issue. By all means, turn it on if its a concern.

>If I were you, I'd tight that regex a little more to avoid false positives, althought that has the drawback that maybe in a future version of the sshd daemon, the message about failed login attempts changes and suddenly you don't seem to be attacked anymore ;^). Also, why /ig?

/g -- the g isn't needed, just a habbit
/i -- same reason as you mentioned above. a little bit of a loose regular expression, but hopefully will work if the log format changes a little bit.
@safe and @reject are two entities, kept apart for readability purposes, you are correct that other ways exist, perhaps even better ways.

the $db{$ip} stores more than IP.. it also stores the count, and epoch times of the event. The count being the number of array elements, and the times are the element stores as an epoch time:

       if ( $db{$ip}[ $#{ $db{$ip} } ] - $db{$ip}[ $#{ $db{$ip} } - 1 
+] > $thresHold ) {

[download]


Here I say .. if the last array item (which holds the highest epoch time) minus the previous attempts epoch time is greater than the threshold (ie. 10 minute), then clear the current attack and treat as a new attack. I'm basically just clearing the entire record of previous attack. The else of that is the handler for ongoing attack -- increase count or reject the attacker.


I like your grep suggestion as well, although I opted foreach because its slightly more readable. That's the only real reason for that one.

And yes, the subroutine names are inconsistent, good point. That will be fixed.

Matt

In reply to Re^2: SSH Failed Attempt Monitor by Anonymous Monk
in thread SSH Failed Attempt Monitor by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.