Novell Home

SSH brute force block

Novell Cool Solutions: Cool Tool

Digg This - Slashdot This

In Brief

Detect brute force SSH attack.

Vitals

Functional Categories:
  • Scripting
  • Posted:10 Oct 2007
    File Size:1KB
    License:Free
    Download:/coolsolutions/tools/downloads/ssh-block.sh
    Publisher:Chad Israel

    Disclaimer

    Please read the note from our friends in legal before using this file.


    Details

    We noticed a large number of failed login attempts on a few Linux servers that we had SSH open to the outside. So to prevent such attacks I modified a script to be run by cron at a interval time to detect failed logins and after a certain number of attempts add them to hosts.deny.

    Hope this helps someone.

    #!/bin/bash
    #This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
    #Chad
    LOGFILE="/var/log/messages"
    HOSTSDENY="/etc/hosts.deny"
    BADCOUNT="5"
    # read logfile and look for invalid login attemps
    grep sshd $LOGFILE |grep "Invalid user"| awk '{print $NF}'|sort|uniq -c|sort -n|sed "s/[[:space:]]*//" | while read i
    do
            # read number of failed attempts
            count=`echo $i | cut -d" " -f1`
            # read ip address from failed attempt
            ip=`echo $i | cut -d" " -f2`
            #check hostdeny file to see if IP already exist
            already=`grep $ip $HOSTSDENY | grep sshd`        
            #if IP does not exist add it to hostdeny file
            if [ -z "$already"  ]
            then
                    if [ "$count" -ge "$BADCOUNT" ]
                    then
                            echo "sshd: "$ip >> $HOSTSDENY
                    fi
            fi
    done

    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

    © 2014 Novell