autoblock 1.1.0

Automatically block SSH brute-force attackers via iptables
autoblock-1.1.0 is not a library.

AutoBlock

Automatically block SSH brute-force attackers by monitoring /var/log/auth.log and adding iptables DROP rules for offending IPs.

How It Works

  1. Watches /var/log/auth.log for new entries (tail -f style via inotify)
  2. Parses Invalid user lines to extract the source IP
  3. Tracks attempts per IP in a ring buffer
  4. When an IP reaches the threshold (default: 3 attempts), it is blocked:
    • iptables -I INPUT 1 -s <IP> -j DROP
    • netfilter-persistent save
  5. Already blocked IPs are loaded from iptables at startup to avoid duplicates

Build

cargo build --release

Usage

The application requires root privileges since it modifies iptables rules.

sudo ./target/release/autoblock

Options

Flag Default Description
--log-path /var/log/auth.log Path to the auth log file
--threshold 3 Number of invalid attempts before blocking
--buffer-size 10000 Ring buffer capacity 
# Custom threshold and buffer size
sudo ./target/release/autoblock --threshold 5 --buffer-size 20000

# Watch a different log file
sudo ./target/release/autoblock --log-path /var/log/auth.log.1

Logging

Control log verbosity via the RUST_LOG environment variable:

sudo RUST_LOG=debug ./target/release/autoblock

Tests

cargo test

Project Structure

src/
  main.rs          Entry point, CLI parsing, main loop
  parser.rs        Regex parser for "Invalid user" log lines
  ring_buffer.rs   Generic ring buffer backed by VecDeque
  blocker.rs       iptables blocking + netfilter-persistent save
  watcher.rs       Log file watching via notify/inotify