Computerglitch

An ongoing adventure

Blocking Repeated SSH Login Failures

This how-to describes a way to block numerous invalid login attempts from offending ip addresses, specifically SSH.

First create the following script and name it sshblock: [download sshblock]

#!/bin/ksh # # # NUM_TRIES=3 SSH_INVALID_USERS=`grep ‘Invalid user’ /var/log/authlog | awk ‘{ print $10 }’ | sort -u` for iu in $SSH_INVALID_USERS; do num=`grep $iu /var/log/authlog | wc -l` if [ $num -gt $NUM_TRIES ]; then echo “$iu” >> /var/tmp/invalid_users.list fi done cat /var/tmp/invalid_users.list | sort -u > /var/tmp/invalid_users.list SSH_FAILED_PASSWORD=`grep ‘Failed password for’ /var/log/authlog | grep -v ‘invalid user’ | awk ‘{ print $11 }’ | sort -u` for fp in $SSH_FAILED_PASSWORD; do num=`grep $fp /var/log/authlog | wc -l` if [ $num -gt $NUM_TRIES ]; then echo “$fp” >> /var/tmp/failed_passwords.list fi done cat /var/tmp/failed_passwords.list | sort -u > /var/tmp/failed_passwords.list cat /var/tmp/invalid_users.list /var/tmp/failed_passwords.list | sort -u > /var/tmp/blockers.list pfctl -t kiddies -vTadd -f /var/tmp/blockers.list

Place this script in /usr/sbin and add the executable permission to it:

# mv sshblock /usr/sbin # chmod +x sshblock

Add the following to /etc/pf.conf (be sure your external interface is set properly):

ext_if=”vr0” table <kiddies> persist block in on $ext_if from <kiddies>

To keep the script running add the following to cron to have the script update the offending IP’s every 5 minutes:

# crontab -e */5 * * * * /usr/sbin/sshblock

Comments