SSH Brute Force Attacks
Hi,
I am sure many of you are also getting the SSH brute force attacks. I
have been working on a little script that looks at the /var messages
for failed log in attempts and if over a certain threshold block them.
It seems to work pretty good so far except it puts multiple block in
for IP's that are already there. This is what I have right now:
#!/bin/bash
cat messages|grep -i sshd|grep -i "authentication failure"|awk '{print
$13}'|cut -d'=' -f2 |sort|
uniq -c >> brute.list
INFILE="/var/log/brute.list"
exec < $INFILE
while read COUNT IPADDR
do
#echo count=$COUNT ipaddr=$IPADDR
if [ $COUNT -gt 5 ]
then
iptables -s $IPADDR -N RH-Firewall-1-INPUT -p tcp -j
DROP
echo $IPADDR should be blocked
#echo $IPADDR has been blocked | mail -s "Blocked IP's"
gregoryd@xxxxxxxxxxxxx
iptables-save
fi
done
I want to build more logic into it that would compare to files and if
it is in the one file of the blocked ip list do nothing, BUT if it isnt
in the blocked ip list block it, add it to the list and resort it.
Any body have any ideas how to do that?
ThanX,
Greg
_______________________________________________
LinuxManagers mailing list - http://www.linuxmanagers.org
submissions: LinuxManagers@xxxxxxxxxxxxxxxxx
subscribe/unsubscribe: http://www.linuxmanagers.org/mailman/listinfo/linuxmanagers
[Home]
[Kernel List]
[Linux SCSI]
[Video 4 Linux]
[Linux Admin]
[Yosemite News]
[Motherboards]
