A command like this:
Code:
ssh -l "hokus pokus 0.0.0.0/0" myhost.com
will result in a log entry like this:
Code:
Jun 30 22:06:12 myhost sshd[10140]: Invalid user hokus pokus 0.0.0.0/0 from 192.168.23.42
When awk then reads column #5 it gets 0.0.0.0/0 instead of the actual IP and the resulting iptables rule will drop
all traffic from
every IP.
The iplist seems to be permanent, so if this happens on a remote system where ssh is your only means of access, if the cron job runs frequently enough you're very likely completely locked out.
Don't let this discourage you from developing your own implementation of the "fail2ban" idea. But be very, very careful when handling any sort of user provided input (see
xkcd).