I have two scripts that I've been working on ready for some feedback if anyone is interested.
The first is called bearDropper, and is essentially a minimal, lightweight dropbear (ssh) log examiner that blocks ssh brute force attacks. It hooks itself into iptables, is very configurable using uci and/or command line options. The goal was to make it simple to use but very reliable and configurable - let me know if you think I succeeded. It started as a rewrite of dropBrute, but has many other features:
Written in busybox ash with no dependencies outside of stock Chaos Calmer
Maintains a state database, periodically writes it to tmpfs and (optionally) persistent storage
Persistent storage writes are throttled (default once a day) and are disabled by default
Periodically syncs the state database to a dedicated iptables chain
Periodically expires entries from the iptables chain
Self installs into iptables (default hook is into input_wan_rule) - easily disabled or modified in config
Uses native uci config, and runs via a procd init script (continuous run)
For those who like options, it can also run in a few single-run (non-continuous) modes, examining the entire syslog ring buffer, just today's entries (like dropBrute), or even arbitrary intervals.
The second is called sub2rbl, and it's a very simple, lightweight script to retrieve RBLs, compile them into an ipset and automatically hook into iptables with a firewall rule (default in input_wan_rule). It also uses uci (/etc/config/sub2rbl), with command line overrides. Dependencies are ipset, curl and openssl-util (to retrieve RBLs via https).
Supports IP based and CIDR (net) based RBLs
Default config uses OpenBL, blocklist.de, Dragon Research and SpamHaus DROP/EDROP RBLs
Whitelist support based on a uci config list (see config file for details)
Simple installation, see the github project page for instructions
I'm looking forward to hearing some feedback (and bug reports)
(Last edited by robzr on 19 Jan 2016, 00:13)