[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

chip chip.gwyn at gmail.com
Thu Dec 23 09:51:14 EST 2010 

This should help, if 4 ssh sessions are opened from the same ip within
60 seconds the IP is then dropped

From:  http://www.webhostingtalk.com/showthread.php?t=456571
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent   --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m
recent   --update --seconds 60 --hitcount 4 -j DROP

There's also:
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/

Hope that gets you started.

--chip

On Thu, Dec 23, 2010 at 9:40 AM, Van Loggins <vanloggins at gmail.com> wrote:
>
> I have a Redhat Enterprise linux 5.5 server that is getting over 600 failed ssh login attempts a day.
>
> I'm wanting to lock down the server to protect it but need to keep ssh running.
>
> I've changed my ssh config and went to a higher non standard port which should help but I also want to run a cron job every 24 hours or so that scans for failed ssh login attempts and blocks the IP
>
> I worked on something similar a few years ago on a Centos 3 box and was hoping to get it working again.
>
> here is the original shell script code
>
> code begins here:
>
> #!/bin/bash
> # check for hack attempts and email alerts if seen
> searchdate=`date +'%b %e'`
> searchtime=`date +'%r'`
> tail -n 100 /var/log/secure > /tmp/output.txt
> grep "Failed password" /tmp/output.txt > /tmp/faillogin
> if [ $? = 0 ]
>         then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
>         for i in `cat /tmp/awkip.txt`
>         do
>                 iptables -A INPUT -s $i/32 -j DROP
>         done
>         mail someone at somewhere.com -s "Failed login via SSH on
> $searchdate at $searchtime" < /tmp/faillogin
> fi
>
> End of Code
>
>
> for some reason it's erroring out on the do command so it never gets to the iptables command.
>
> any suggestions, or a better method to do this?
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



--
Just my $.02, your mileage may vary,  batteries not included, etc....

More information about the Ale mailing list