SUSE Conversations


SSH brute force block



By: ncisrael

October 10, 2007 1:56 pm

Reads:84

Comments:1

Rating:0

We noticed a large number of failed login attempts on a few Linux servers that we had SSH open to the outside. So to prevent such attacks I modified a script to be run by cron at a interval time to detect failed logins and after a certain number of attempts add them to hosts.deny.

Hope this helps someone.

#!/bin/bash
#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#Chad
LOGFILE="/var/log/messages"
HOSTSDENY="/etc/hosts.deny"
BADCOUNT="5"
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep "Invalid user"| awk '{print $NF}'|sort|uniq -c|sort -n|sed "s/[[:space:]]*//" | while read i
do
        # read number of failed attempts
        count=`echo $i | cut -d" " -f1`
        # read ip address from failed attempt
        ip=`echo $i | cut -d" " -f2`
        #check hostdeny file to see if IP already exist
        already=`grep $ip $HOSTSDENY | grep sshd`        
        #if IP does not exist add it to hostdeny file
        if [ -z "$already"  ]
        then
                if [ "$count" -ge "$BADCOUNT" ]
                then
                        echo "sshd: "$ip >> $HOSTSDENY
                fi
        fi
done
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)


Categories: Free Tools, Technical Solutions

1 Comment

  1. By:GoldTek

    You’ll need to watchout for this grep statement :

    already=`grep $ip $HOSTSDENY | grep sshd`

    IP addresses have (.) periods in them which is a wildcard for regular expressions.

    If for example the IP address 2.1.1.1 was being checked by the above grep command, it would also report a match if there was 211.101 in the file already and the script would never add 2.1.1.1 to the Hosts deny file.

Comment

RSS