<p>First of all I love a concept called knockd. Since you are ok using an alternate port you may be ok with this unconventional approach. But what you describe sounds very similar to a service I have used in the past. I don't remember the exact name, but I would search for "harden ssh". It watches constantly immediately blocking repeat failures, which is much better than waiting 24 hours.</p>
<p><blockquote type="cite">On Dec 23, 2010 9:41 AM, "Van Loggins" <<a href="mailto:vanloggins@gmail.com">vanloggins@gmail.com</a>> wrote:<br><br>I have a Redhat Enterprise linux 5.5 server that is getting over 600 failed ssh login attempts a day.<br>
<br>I'm wanting to lock down the server to protect it but need to keep ssh running.<br><br>I've changed my ssh config and went to a higher non standard port which should help but I also want to run a cron job every 24 hours or so that scans for failed ssh login attempts and blocks the IP<br>
<br>I worked on something similar a few years ago on a Centos 3 box and was hoping to get it working again.<br><br>here is the original shell script code<br><br>code begins here:<br><br>#!/bin/bash<br># check for hack attempts and email alerts if seen<br>
searchdate=`date +'%b %e'`<br>searchtime=`date +'%r'`<br>tail -n 100 /var/log/secure > /tmp/output.txt<br>grep "Failed password" /tmp/output.txt > /tmp/faillogin<br>if [ $? = 0 ]<br> then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt<br>
for i in `cat /tmp/awkip.txt`<br> do<br> iptables -A INPUT -s $i/32 -j DROP<br> done<br> mail <a href="mailto:someone@somewhere.com" target="_blank">someone@somewhere.com</a> -s "Failed login via SSH on<br>
$searchdate at $searchtime" < /tmp/faillogin<br>fi<br><br>End of Code<br><br><br>for some reason it's erroring out on the do command so it never gets to the iptables command.<br><br>any suggestions, or a better method to do this?<br>
<br><br>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></p>