burngreave.net

My servers are being attacked regulary with ssh brute force attacks. I had 40,000 attempted failed logons over 7 hours from one ip address recently, at the peak it was doing 4 attempts a second.

This script works fine on the Debian Servers
Its very simple and can be run from cron every 15 minutes ( or less ).

It looks for the 'Illegal user' entries in a LOGFILE. If more than BADCOUNT are seen from the same ip address it gets added to hosts.deny ( man 5 hosts_access ) and thus is unable to bother sshd again. root will get mail when it does stuff.

You can make sure it doesn't lock you out by adding your trusted ip addresses to hosts.allow

#!/bin/bash
LOGFILE="/var/log/auth.log"
HOSTSDENY="/etc/hosts.deny"
BADCOUNT="10"
grep "Illegal user" $LOGFILE | cut -d':' -f 7 | cut -d' ' -f1 | sort | uniq -c | while read i
do
        count=`echo $i | cut -d" " -f1`
        ip=`echo $i | cut -d" " -f2`
#       echo "count="$count
#       echo "ip="$ip
        already=`grep $ip $HOSTSDENY | grep sshd`
        if [ -z "$already"  ]
        then
                if [ "$count" -ge "$BADCOUNT" ]
                then
                        echo "banned from sshd: "$ip
                        echo "sshd: "$ip >> $HOSTSDENY
                fi
        fi
done