since i banged my head on this for a couple of days, i thought i’d share my solution.
if you’re running a server, you really should do something to keep brute-force SSH attacks from slowing it down, and potentially compromising your server. for this, i use fail2ban
fail2ban allows one to trigger certain actions when an IP is banned. i wanted to tweet those IPs, so their ISPs could be publicly shamed. i do this at http://twitter.com/bannedIPs/
it’s well known how to tweet from the command line:
curl -u username:mypassword -d status="Status Message" http://twitter.com/statuses/update.xml
so, i put this into a file “tweet.conf” in /etc/fail2ban/actions.d:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = echo "status=<ip>" | curl -u USERNAME:PASSWORD -d @- http://twitter.com/statuses/update.xml
actionunban =
and the following in /etc/fail2ban/jail.conf:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
tweet[name=SSH]
logpath = /var/log/secure
maxretry = 3
bantime = 86400
(note the “action” is just “tweet” without the trailing “.conf”)