[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

Van Loggins vanloggins at gmail.com
Thu Dec 23 09:40:12 EST 2010


I have a Redhat Enterprise linux 5.5 server that is getting over 600 failed
ssh login attempts a day.

I'm wanting to lock down the server to protect it but need to keep ssh
running.

I've changed my ssh config and went to a higher non standard port which
should help but I also want to run a cron job every 24 hours or so that
scans for failed ssh login attempts and blocks the IP

I worked on something similar a few years ago on a Centos 3 box and was
hoping to get it working again.

here is the original shell script code

code begins here:

#!/bin/bash
# check for hack attempts and email alerts if seen
searchdate=`date +'%b %e'`
searchtime=`date +'%r'`
tail -n 100 /var/log/secure > /tmp/output.txt
grep "Failed password" /tmp/output.txt > /tmp/faillogin
if [ $? = 0 ]
        then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
        for i in `cat /tmp/awkip.txt`
        do
                iptables -A INPUT -s $i/32 -j DROP
        done
        mail someone at somewhere.com -s "Failed login via SSH on
$searchdate at $searchtime" < /tmp/faillogin
fi

End of Code


for some reason it's erroring out on the do command so it never gets to the
iptables command.

any suggestions, or a better method to do this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101223/7297a5a1/attachment.html 


More information about the Ale mailing list