SUSE Conversations

SSH brute force block


October 10, 2007 1:56 pm





We noticed a large number of failed login attempts on a few Linux servers that we had SSH open to the outside. So to prevent such attacks I modified a script to be run by cron at a interval time to detect failed logins and after a certain number of attempts add them to hosts.deny.

Hope this helps someone.

#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep "Invalid user"| awk '{print $NF}'|sort|uniq -c|sort -n|sed "s/[[:space:]]*//" | while read i
        # read number of failed attempts
        count=`echo $i | cut -d" " -f1`
        # read ip address from failed attempt
        ip=`echo $i | cut -d" " -f2`
        #check hostdeny file to see if IP already exist
        already=`grep $ip $HOSTSDENY | grep sshd`        
        #if IP does not exist add it to hostdeny file
        if [ -z "$already"  ]
                if [ "$count" -ge "$BADCOUNT" ]
                        echo "sshd: "$ip >> $HOSTSDENY
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Categories: Free Tools, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

1 Comment

  1. By:GoldTek

    You’ll need to watchout for this grep statement :

    already=`grep $ip $HOSTSDENY | grep sshd`

    IP addresses have (.) periods in them which is a wildcard for regular expressions.

    If for example the IP address was being checked by the above grep command, it would also report a match if there was 211.101 in the file already and the script would never add to the Hosts deny file.