[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

[Randy Ramsdell]

Van Loggins wrote:
> I have a Redhat Enterprise linux 5.5 server that is getting over 600 
> failed ssh login attempts a day.
> 
> I'm wanting to lock down the server to protect it but need to keep ssh 
> running.
> 
> I've changed my ssh config and went to a higher non standard port which 
> should help but I also want to run a cron job every 24 hours or so that 
> scans for failed ssh login attempts and blocks the IP
> 
> I worked on something similar a few years ago on a Centos 3 box and was 
> hoping to get it working again.
> 
> here is the original shell script code
> 
> code begins here:
> 
> #!/bin/bash
> # check for hack attempts and email alerts if seen
> searchdate=`date +'%b %e'`
> searchtime=`date +'%r'`
> tail -n 100 /var/log/secure > /tmp/output.txt
> grep "Failed password" /tmp/output.txt > /tmp/faillogin
> if [ $? = 0 ]
>         then awk '{print $11}' /tmp/faillogin > /tmp/awkip.txt
>         for i in `cat /tmp/awkip.txt`
>         do
>                 iptables -A INPUT -s $i/32 -j DROP
>         done
>         mail someone at somewhere.com <mailto:someone at somewhere.com> -s 
> "Failed login via SSH on
> $searchdate at $searchtime" < /tmp/faillogin
> fi
> 
> End of Code

I used to use portsentry. Cisco bought it but it is still oss and it 
worked well.

If you change the bind port, that stops 99% of the scripted tools 
although I don't believe in security through obscurity.