Actually I've been lazy to write tutorials and the like, but since recently there are reports from friends and problems often arise log failed logins to ssh, mostly from outside IP. Yes, this must be brute-force attack.
After googling there here, Finally, the anticipation can be a simple way to brute-force SSH attacks
This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#!/bin/bash
#Chad
LOGFILE=”/var/log/secure”
HOSTSDENY=”/etc/hosts.deny”
BADCOUNT=”5″
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep “Invalid user”| awk ‘{print $NF}’|sort|uniq -c|sort -n|sed “s/[[:space:]]*//” | while
read i
do
# read number of failed attempts
count=`echo $i | cut -d” ” -f1`
# read ip address from failed attempt
ip=`echo $i | cut -d” ” -f2`
#check hostdeny file to see if IP already exist
already=`grep $ip $HOSTSDENY | grep sshd`
#if IP does not exist add it to hostdeny file
if [ -z "$already" ]
then
if [ "$count" -ge "$BADCOUNT" ]
then
echo “sshd: “$ip >> $HOSTSDENY
fi
fi
Save the script above and run it with cron. Here we use the hosts.deny, so for the SSH login failed five times, his IP will automatically enter into hosts.deny on the server
0 komentar:
Posting Komentar