How to automatically block SSH brute force attack
Topic: SSH Brute force protection
If your linux server is under ssh brute force attack and want to block those hackers IP automatically, then this article is for you.
In this article i have provided a simple bash script which will scan the last 1000 lines of sshd logs for failed attempts, then copies the IP address for more than 4 failed login attempts and using the IPTABLES the malicious IP's will be blocked.
SSH - Brute Force attack?
SSH stands for “Secure Shell”. It is a protocol used to securely connect to a remote server/system. ssh is secure in the sense that it transfers the data in encrypted form between the host and the client
Brute Force
A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information.
Overview: SSH Brute Force Attack Protection
In this Article i have provided a Bash script, which will scan last 1000 lines of the SSH error logs, if any failed attempts detected in the logs the IP address of the 3 consecutives failed attempts will be filtered and blocked using the IPTABLES.
The script also has the option to email the IP address which is blocked.
Pre-requisites:
IPTablesSendmail or Postfix
Steps to be followed
Step 1: Bash script file
cd /usr/src/vi sshscan.sh
#!/bin/sh# scan /var/log/secure for ssh attempts# use iptables to block the bad guys# Looking for attempts on existing and non-existing users. For example:# Nov 2 22:44:07 pbxer sshd[28318]: Failed password for root from 74.143.42.70 port 52416 ssh2# Nov 3 00:06:57 pbxer sshd[31767]: Failed password for invalid user mat3 from 192.203.145.200 port 35841 ssh2tail -1000 /var/log/secure | awk '/sshd/ && /Failed password for/ { if (/invalid user/) try[$13]++; else try[$11]++; }END { for (h in try) if (try[h] > 4) print h; }' |while read ipdo# note: check if IP is already blocked.../sbin/iptables -L -n | grep $ip > /dev/nullif [ $? -eq 0 ] ; then# echo "already denied ip: [$ip]" ;trueelseecho "Subject: denying ip: $ip" | /usr/sbin/sendmail urmailid@gmail.comlogger -p authpriv.notice "*** Blocking SSH attempt from: $ip"/sbin/iptables -I INPUT -s $ip -j DROPfidone
chmod 755 sshscan.sh
Step 2: Running the sshscan.sh script
Either you run the sshscan.sh script manually type to scan the ssh log and block the IP address or attackers or you can schedule the script run every minute using cronjob.
to run manually type
/usr/src/sshscan.sh
To schedule in cronjob follow the below steps
open the crontab file by by below command
crontab -e
At the last line of the file enter the below line to run the script every minute
* * * * * /usr/src/sshscan.sh
@reboot /usr/src/sshscan.sh
IPTables command to check the blocked ip
Run the below IPtables command to check the IP's which blocked by the script.
iptables -L -n
Conclusion:
The provided script will check the default ssh log file - /var/log/secure, if your ssh log file is different change the same in the bash script.
Vicidial or asterisk servers are common target of ssh brute force attacks, use the script provided here for SSHD brute force protection
hey striker..i am big fan..learned from ur videos a lot.. i am facing the same problem in my server which is in cloud and my sip is getting drained..i cant use this code and paste in on ssh can u do a video tutorial for it pls
thnx a lot.