Novell Home

SSH brute force block

Novell Cool Solutions: Cool Tool

Rate This Page

Reader Rating  stars  from 4 ratings

Digg This - Slashdot This

In Brief

Detect brute force SSH attack.

Vitals

Functional Categories:
  • Scripting
    • Posted:10 Oct 2007
    File Size:1KB
    License:Free
    Download:/coolsolutions/tools/downloads/ssh-block.sh
    Publisher:Chad Israel

    Disclaimer

    Please read the note from our friends in legal before using this file.


    Details

    We noticed a large number of failed login attempts on a few Linux servers that we had SSH open to the outside. So to prevent such attacks I modified a script to be run by cron at a interval time to detect failed logins and after a certain number of attempts add them to hosts.deny.

    Hope this helps someone.

    #!/bin/bash
#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#Chad
LOGFILE="/var/log/messages"
HOSTSDENY="/etc/hosts.deny"
BADCOUNT="5"
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep "Invalid user"| awk '{print $NF}'|sort|uniq -c|sort -n|sed "s/[[:space:]]*//" | while read i
do
        # read number of failed attempts
        count=`echo $i | cut -d" " -f1`
        # read ip address from failed attempt
        ip=`echo $i | cut -d" " -f2`
        #check hostdeny file to see if IP already exist
        already=`grep $ip $HOSTSDENY | grep sshd`        
        #if IP does not exist add it to hostdeny file
        if [ -z "$already"  ]
        then
                if [ "$count" -ge "$BADCOUNT" ]
                then
                        echo "sshd: "$ip >> $HOSTSDENY
                fi
        fi
done

    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

    Reader Comments

    • The problem with these types of scripts is that they allow remote log injection. Be wary of using these. See here: http://www.ossec.net/en/attacking-loganalysis.html#denyhosts
    • Thanks to Peter for head up about an additional error that can be scanned for. change the "grep ssd $LOGFILE" line to read: grep sshd $LOGFILE |egrep 'Invalid user|Authentication failure'| awk '{print $NF}'|sort|uniq -c|sort -n|sed "s/[[:space:]]*//" | while read i Chad

    Novell® Making IT Work As One

    © 2009 Novell, Inc. All Rights Reserved.