autoblock 1.0.0

Automatically block SSH brute-force attackers via iptables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

# AutoBlock

Automatically block SSH brute-force attackers by monitoring `/var/log/auth.log` and adding `iptables` DROP rules for offending IPs.

## How It Works

1. Watches `/var/log/auth.log` for new entries (tail -f style via inotify)
2. Parses `Invalid user` lines to extract the source IP
3. Tracks attempts per IP in a ring buffer
4. When an IP reaches the threshold (default: 3 attempts), it is blocked:
   - `iptables -I INPUT 1 -s <IP> -j DROP`
   - `netfilter-persistent save`
5. Already blocked IPs are loaded from iptables at startup to avoid duplicates

## Build

```bash
cargo build --release
```

## Usage

The application requires root privileges since it modifies iptables rules.

```bash
sudo ./target/release/autoblock
```

### Options

| Flag | Default | Description |
|------|---------|-------------|
| `--log-path` | `/var/log/auth.log` | Path to the auth log file |
| `--threshold` | `3` | Number of invalid attempts before blocking |
| `--buffer-size` | `10000` | Ring buffer capacity |

```bash
# Custom threshold and buffer size
sudo ./target/release/autoblock --threshold 5 --buffer-size 20000

# Watch a different log file
sudo ./target/release/autoblock --log-path /var/log/auth.log.1
```

### Logging

Control log verbosity via the `RUST_LOG` environment variable:

```bash
sudo RUST_LOG=debug ./target/release/autoblock
```

## Tests

```bash
cargo test
```

## Project Structure

```
src/
  main.rs          Entry point, CLI parsing, main loop
  parser.rs        Regex parser for "Invalid user" log lines
  ring_buffer.rs   Generic ring buffer backed by VecDeque
  blocker.rs       iptables blocking + netfilter-persistent save
  watcher.rs       Log file watching via notify/inotify
```