Yea i know how it feels when you see below stuff in your logs...

May 20 14:46:24 xxx sshd[2700]: Invalid user user from ::ffff:xx.x.xx.xxx May 20 14:46:24 xxx sshd[2700]: error: Could not get shadow information for NOUSER May 20 14:46:24 xxx sshd[2700]: Failed password for invalid user user from ::ffff:xx.x.xx.xxx port 41247 ssh2 May 20 14:46:26 xxx sshd[2703]: Invalid user info from ::ffff:xx.x.xx.xxx May 20 14:46:26 xxx sshd[2703]: error: Could not get shadow information for NOUSER May 20 14:46:26 xxx sshd[2703]: Failed password for invalid user info from ::ffff:xx.x.xx.xxx port 50247 ssh2 May 20 14:46:26 xxx sshd[2704]: Invalid user david from ::ffff:xx.x.xx.xxx May 20 14:46:26 xxx sshd[2704]: error: Could not get shadow information for NOUSER May 20 14:46:26 xxx sshd[2704]: Failed password for invalid user david from ::ffff:xx.x.xx.xxx port 41287 ssh2 May 20 14:46:29 xxx sshd[2707]: Invalid user tony from ::ffff:xx.x.xx.xxx May 20 14:46:29 xxx sshd[2707]: error: Could not get shadow information for NOUSER May 20 14:46:29 xxx sshd[2707]: Failed password for invalid user tony from ::ffff:xx.x.xx.xxx port 50304 ssh2 May 20 14:46:29 xxx sshd[2709]: Invalid user web from ::ffff:xx.x.xx.xxx May 20 14:46:29 xxx sshd[2709]: error: Could not get shadow information for NOUSER
There have been a less popular solution for this called "DenyHosts". You can check the details on below link.
http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_DenyHosts

But this software have some problems. If it runs as a daemon then it contineously read and parse the auth.log file. Which is not efficient depending on the size of log file.

Another way DenyHosts can run is through /etc/hosts.deny. Which cause a delay in login process of every user.

So why not do it the openpages.info way ? :)

A brutal Anti Brute Force (SSH) System

1. Create a named pipe with below command.

mkfifo /var/log/auth.info.pipe

2. Configure syslog to log auth.info to our pipe.

Syslog (Centos,RedHat,FC,Mandriva/Mandrake,Debian,Ubuntu)
Edit your /etc/syslog.conf
Add a line like this at top of /etc/syslog.conf

auth.info       |/var/log/auth.info.pipe

Syslog-ng (Gentoo)
Edit your /etc/syslog-ng/syslog-ng.conf and add these lines (You can adjust them with your other syslog-ng config if you have any customization there)

destination authlog { pipe("/var/log/auth.info.pipe"); };
filter f_auth { facility(auth); };
filter f_info { level(info..emerg); };
log { source(src); filter(f_auth); filter(f_info); destination(authlog); };

3. Save syslog.conf/syslog-ng.conf and restart syslogd/syslog-ng

Thats it, Now we are catching all bruteforce attempts in our pipe. Now we will need something to read that pipe. PLEASE REMEMBER IT IS A FIFO PIPE WHICH IS MUCH BETTER THEN MONITORING ANY LOG FILE. IT WILL BE MORE FAST TO READ AND MANUPLATE DATA FROM THAT PIPE, ALMOST REALTIME.

Here is a script you can use. It is an opensource script, very small but very brutal.. Trust me.

This script will wait at the other end of named pipe to grab the ssh log enteries. It will process them in memory (very fast) and will block the ips which will reach at the $threshold failed login attempts. It use iptables to block that ip . Script can put the information in a log file if you turn on the debugging in it. Just get the script and you will see how simple it is to use.

IMPORTANT : On some Linux distros ssh log the hostnames and not ips. To avoid this make sure /etc/ssh/sshd_config has this 'UseDNS no' Or put it there and restart sshd

ssh-anti-brute-1.3.pl (Tested on Fedora 4, 5, 6/Redhat 9, Enterprise/Centos 4.4, 5/ Debian 3.1,4/ Ubuntu with syslogd and Gentoo with syslog-ng)
size: 3564 bytes
md5: bba63ccd4802805798d6283ad0d7617d


Tip: Some linux distros will kill the process which you started with & if you close your ssh client terminal or logout. To keep this script running in this case use this command ....
sh -cf 'perl ssh-anti-brute-1.3.pl&'