[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?
Van Loggins
vanloggins at gmail.com
Thu Dec 23 09:40:12 EST 2010
I have a Redhat Enterprise linux 5.5 server that is getting over 600 failed
ssh login attempts a day.
I'm wanting to lock down the server to protect it but need to keep ssh
running.
I've changed my ssh config and went to a higher non standard port which
should help but I also want to run a cron job every 24 hours or so that
scans for failed ssh login attempts and blocks the IP
I worked on something similar a few years ago on a Centos 3 box and was
hoping to get it working again.
here is the original shell script code
code begins here:
#!/bin/bash
# check for hack attempts and email alerts if seen
searchdate=`date +'%b %e'`
searchtime=`date +'%r'`
tail -n 100 /var/log/secure > /tmp/output.txt
grep "Failed password" /tmp/output.txt > /tmp/faillogin
if [ $? = 0 ]
then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
for i in `cat /tmp/awkip.txt`
do
iptables -A INPUT -s $i/32 -j DROP
done
mail someone at somewhere.com -s "Failed login via SSH on
$searchdate at $searchtime" < /tmp/faillogin
fi
End of Code
for some reason it's erroring out on the do command so it never gets to the
iptables command.
any suggestions, or a better method to do this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101223/7297a5a1/attachment.html
More information about the Ale
mailing list