I have a Redhat Enterprise linux 5.5 server that is getting over 600 failed ssh login attempts a day.<br><br>I'm wanting to lock down the server to protect it but need to keep ssh running.<br><br>I've changed my ssh config and went to a higher non standard port which should help but I also want to run a cron job every 24 hours or so that scans for failed ssh login attempts and blocks the IP<br>
<br>I worked on something similar a few years ago on a Centos 3 box and was hoping to get it working again.<br><br>here is the original shell script code<br><br>code begins here:<br><br>#!/bin/bash<br># check for hack attempts and email alerts if seen<br>
searchdate=`date +'%b %e'`<br>searchtime=`date +'%r'`<br>tail -n 100 /var/log/secure > /tmp/output.txt<br>grep "Failed password" /tmp/output.txt > /tmp/faillogin<br>if [ $? = 0 ]<br> then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt<br>
for i in `cat /tmp/awkip.txt`<br> do<br> iptables -A INPUT -s $i/32 -j DROP<br> done<br> mail <a href="mailto:someone@somewhere.com">someone@somewhere.com</a> -s "Failed login via SSH on<br>
$searchdate at $searchtime" < /tmp/faillogin<br>fi<br><br>End of Code<br><br><br>for some reason it's erroring out on the do command so it never gets to the iptables command.<br><br>any suggestions, or a better method to do this?<br>
<br><br>