sshdfilter for Mac OS X
sshdfilter is a perl daemon that actively monitors ssh logins and detects signs of intrusion attempts and then blocks the attacking IP addresses. It runs on most any unix-variant, including (with a little modification), Mac OS X. This project is a “port” of sshdfilter to Mac OS X. Additions include a simple installer (no configuration required), startup script, and persistence - blocked addresses are saved in between reboots. It has been tested on OS X Server 10.4.11 - 10.6.2 and OS X Client 10.4.10-10.7.1 but should run on any OS X > 10.1.
Installation and configuration
The default setting is to block most failed logins after 5 attempts, some common invalid logins after 0 attempts, incorrect root logins after 2 attempts, and logins to non-existent accounts after 3 attempts. Counters are reset upon a valid login. These thresholds can be modified in the sshdfilterrc file if desired. It is not currently setup to expire the blocks (even if you set it here in the configuration file, they will remain in the persisting file). This may eventually be fixed when I get a chance.
1/19/12: Fixed with new match templates to work on Lion/10.7.
1/3/10: Updated with a fixed postflight (finally) and now works better on machines that don't use Open Directory authentication. Also respects AllowedUsers failures.
Expand, then run the installer. If you would like to receive email notifications for each block, edit the /etc/sshdfilterrc file (the mail= and mail policy sections - there are comments in the policy).
This is a port of sshdfilter by Richard Gregory and is released under the GPL license. Please note as a clarification once more of credit, that this means that all that I did was create an automated installer and template configurations for Mac OS X. The source (including my modifications) is available here.
Feel free to send me any feedback regarding the installer/running under Mac OS X: jbell at cs (dot) columbia (dot.) e d u. Other feedback regarding sshdfilter should probably be directed to its creator, whose contact information is on the main sshdfilter website.
Last updated 1/19/2012