Tool

We noticed a large number of failed login attempts on a few Linux servers that we had SSH open to the outside. So to prevent such attacks I modified a script to be run by cron at a interval time to detect failed logins and after a certain number of attempts add them to hosts.deny.

Hope this helps someone.

#!/bin/bash
#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#Chad
LOGFILE="/var/log/messages"
HOSTSDENY="/etc/hosts.deny"
BADCOUNT="5"
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep "Invalid user"| awk '{print $NF}'|sort|uniq -c|sort -n|sed "s/[[:space:]]*//" | while read i
do
        # read number of failed attempts
        count=`echo $i | cut -d" " -f1`
        # read ip address from failed attempt
        ip=`echo $i | cut -d" " -f2`
        #check hostdeny file to see if IP already exist
        already=`grep $ip $HOSTSDENY | grep sshd`        
        #if IP does not exist add it to hostdeny file
        if [ -z "$already"  ]
        then
                if [ "$count" -ge "$BADCOUNT" ]
                then
                        echo "sshd: "$ip >> $HOSTSDENY
                fi
        fi
done