Tool
We noticed a large number of failed login attempts on a few Linux servers that we had SSH open to the outside. So to prevent such attacks I modified a script to be run by cron at a interval time to detect failed logins and after a certain number of attempts add them to hosts.deny.
Hope this helps someone.
#!/bin/bash
#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#Chad
LOGFILE="/var/log/messages"
HOSTSDENY="/etc/hosts.deny"
BADCOUNT="5"
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep "Invalid user"| awk '{print $NF}'|sort|uniq -c|sort -n|sed "s/[[:space:]]*//" | while read i
do
# read number of failed attempts
count=`echo $i | cut -d" " -f1`
# read ip address from failed attempt
ip=`echo $i | cut -d" " -f2`
#check hostdeny file to see if IP already exist
already=`grep $ip $HOSTSDENY | grep sshd`
#if IP does not exist add it to hostdeny file
if [ -z "$already" ]
then
if [ "$count" -ge "$BADCOUNT" ]
then
echo "sshd: "$ip >> $HOSTSDENY
fi
fi
done | Attachment | Size |
|---|---|
| ssh-block.zip | 592 bytes |
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
Watch out
Submitted by GoldTek on 27 July 2010 - 5:46am.
You'll need to watchout for this grep statement :
already=`grep $ip $HOSTSDENY | grep sshd`
IP addresses have (.) periods in them which is a wildcard for regular expressions.
If for example the IP address 2.1.1.1 was being checked by the above grep command, it would also report a match if there was 211.101 in the file already and the script would never add 2.1.1.1 to the Hosts deny file.
- Be the first to comment! To leave a comment you need to Login or Register


1