# AutoBlock
Automatically block SSH brute-force attackers by monitoring `/var/log/auth.log` and adding `iptables` DROP rules for offending IPs.
## How It Works
1. Watches `/var/log/auth.log` for new entries (tail -f style via inotify)
2. Parses `Invalid user` lines to extract the source IP
3. Tracks attempts per IP in a ring buffer
4. When an IP reaches the threshold (default: 3 attempts), it is blocked:
- `iptables -I INPUT 1 -s <IP> -j DROP`
- `netfilter-persistent save`
5. Already blocked IPs are loaded from iptables at startup to avoid duplicates
## Installation
Install from [crates.io](https://crates.io/crates/autoblock):
```bash
cargo install autoblock
```
Or build from source:
```bash
cargo build --release
```
## Usage
The application requires root privileges since it modifies iptables rules.
```bash
sudo ./target/release/autoblock
```
### Options
| `--log-path` | `/var/log/auth.log` | Path to the auth log file |
| `--threshold` | `3` | Number of invalid attempts before blocking |
| `--buffer-size` | `10000` | Ring buffer capacity |
```bash
# Custom threshold and buffer size
sudo ./target/release/autoblock --threshold 5 --buffer-size 20000
# Watch a different log file
sudo ./target/release/autoblock --log-path /var/log/auth.log.1
```
### Logging
Control log verbosity via the `RUST_LOG` environment variable:
```bash
sudo RUST_LOG=debug ./target/release/autoblock
```
## Tests
```bash
cargo test
```
## Project Structure
```
src/
main.rs Entry point, CLI parsing, main loop
parser.rs Regex parser for "Invalid user" log lines
ring_buffer.rs Generic ring buffer backed by VecDeque
blocker.rs iptables blocking + netfilter-persistent save
watcher.rs Log file watching via notify/inotify
```
## Contributing
Contributions are welcome! Please open an issue or submit a merge request on [GitLab](https://gitlab.com/_thoreg/autoblock).
```bash
git clone https://gitlab.com/_thoreg/autoblock.git
cd autoblock
make test
make lint
```
This project is licensed under the [MIT License](LICENSE).