[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

Richard Bronosky Richard at Bronosky.com
Thu Dec 23 09:51:29 EST 2010


First of all I love a concept called knockd. Since you are ok using an
alternate port you may be ok with this unconventional approach. But what you
describe sounds very similar to a service I have used in the past. I don't
remember the exact name, but I would search for "harden ssh". It watches
constantly immediately blocking repeat failures, which is much better than
waiting 24 hours.

On Dec 23, 2010 9:41 AM, "Van Loggins" <vanloggins at gmail.com> wrote:

I have a Redhat Enterprise linux 5.5 server that is getting over 600 failed
ssh login attempts a day.

I'm wanting to lock down the server to protect it but need to keep ssh
running.

I've changed my ssh config and went to a higher non standard port which
should help but I also want to run a cron job every 24 hours or so that
scans for failed ssh login attempts and blocks the IP

I worked on something similar a few years ago on a Centos 3 box and was
hoping to get it working again.

here is the original shell script code

code begins here:

#!/bin/bash
# check for hack attempts and email alerts if seen
searchdate=`date +'%b %e'`
searchtime=`date +'%r'`
tail -n 100 /var/log/secure > /tmp/output.txt
grep "Failed password" /tmp/output.txt > /tmp/faillogin
if [ $? = 0 ]
        then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
        for i in `cat /tmp/awkip.txt`
        do
                iptables -A INPUT -s $i/32 -j DROP
        done
        mail someone at somewhere.com -s "Failed login via SSH on
$searchdate at $searchtime" < /tmp/faillogin
fi

End of Code


for some reason it's erroring out on the do command so it never gets to the
iptables command.

any suggestions, or a better method to do this?



_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101223/51174769/attachment-0001.html 


More information about the Ale mailing list